https://pivotal.io/cn/security/cve-2014-1904 根据漏洞描述:
可以知道需要用form标签,选择3.2.8版本以前的spring-mvc。然后写了一个demo,代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
<span class="p">````</span> <span class="k">package</span> <span class="n">net</span><span class="p">.</span><span class="n">codersec</span><span class="p">.</span><span class="n">entity</span><span class="p">;</span> <span class="k">public</span> <span class="k">String</span> <span class="n">getUsername</span><span class="p">()</span> <span class="p">{</span> <span class="n">return</span> <span class="n">username</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="n">void</span> <span class="n">setUsername</span><span class="p">(</span><span class="k">String</span> <span class="n">username</span><span class="p">)</span> <span class="p">{</span> <span class="n">this</span><span class="p">.</span><span class="n">username</span> <span class="p">=</span> <span class="n">username</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">String</span> <span class="n">getPassword</span><span class="p">()</span> <span class="p">{</span> <span class="n">return</span> <span class="n">password</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="n">void</span> <span class="n">setPassword</span><span class="p">(</span><span class="k">String</span> <span class="n">password</span><span class="p">)</span> <span class="p">{</span> <span class="n">this</span><span class="p">.</span><span class="n">password</span> <span class="p">=</span> <span class="n">password</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">````</span> |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
<span class="p">````</span> <span class="k">package</span> <span class="n">net</span><span class="p">.</span><span class="n">codersec</span><span class="p">.</span><span class="n">controller</span><span class="p">;</span> <span class="n">import</span> <span class="n">net</span><span class="p">.</span><span class="n">codersec</span><span class="p">.</span><span class="n">entity</span><span class="p">.</span><span class="n">User</span><span class="p">;</span> <span class="n">import</span> <span class="n">org</span><span class="p">.</span><span class="n">springframework</span><span class="p">.</span><span class="n">stereotype</span><span class="p">.</span><span class="n">Controller</span><span class="p">;</span> <span class="n">import</span> <span class="n">org</span><span class="p">.</span><span class="n">springframework</span><span class="p">.</span><span class="n">ui</span><span class="p">.</span><span class="k">Model</span><span class="p">;</span> <span class="n">import</span> <span class="n">org</span><span class="p">.</span><span class="n">springframework</span><span class="p">.</span><span class="n">web</span><span class="p">.</span><span class="n">bind</span><span class="p">.</span><span class="n">annotation</span><span class="p">.</span><span class="n">RequestMapping</span><span class="p">;</span> <span class="p">/**</span> <span class="p">*</span> <span class="n">Created</span> <span class="n">by</span> <span class="n">bsmali4</span> <span class="n">on</span> <span class="m">18</span><span class="p">/</span><span class="m">1</span><span class="p">/</span><span class="m">25.</span> <span class="p">*/</span> <span class="p">@</span><span class="n">Controller</span> <span class="k">public</span> <span class="n">class</span> <span class="n">UseController</span> <span class="p">{</span> <span class="p">@</span><span class="n">RequestMapping</span><span class="p">(</span><span class="n">value</span> <span class="p">=</span> <span class="s2">"/login/*"</span><span class="p">)</span> <span class="k">public</span> <span class="k">String</span> <span class="n">login</span><span class="p">(</span><span class="k">Model</span> <span class="k">model</span><span class="p">){</span> <span class="k">model</span><span class="p">.</span><span class="n">addAttribute</span><span class="p">(</span><span class="s2">"user"</span><span class="p">,</span> <span class="n">new</span> <span class="n">User</span><span class="p">());</span> <span class="n">return</span> <span class="s2">"login"</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">````</span> |
其中标签需要绑定一个bean,其在form的commandName属性绑定
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
```` <span class="nt"><</span><span class="err">%@</span> <span class="na">page</span> <span class="na">language=</span><span class="s">"java"</span> <span class="na">contentType=</span><span class="s">"text/html; charset=UTF-8"</span> <span class="na">pageEncoding=</span><span class="s">"UTF-8"</span><span class="err">%</span><span class="nt">></span> <span class="nt"><</span><span class="err">%@</span> <span class="na">taglib</span> <span class="na">prefix=</span><span class="s">"form"</span> <span class="na">uri=</span><span class="s">"http://www.springframework.org/tags/form"</span> <span class="err">%</span><span class="nt">></span> <span class="nt"><html></span> <span class="nt"><body></span> <span class="nt"><h2></span>Hello,welcome to CVE-2014-1904!<span class="nt"></h2></span> <span class="nt"><form:form</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">commandName=</span><span class="s">"user"</span><span class="nt">></span> <span class="nt"><form:input</span> <span class="na">path=</span><span class="s">"username"</span><span class="nt">/></span> <span class="nt"><form:input</span> <span class="na">path=</span><span class="s">"password"</span><span class="nt">/></span> <span class="nt"><input</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">value=</span><span class="s">"login"</span><span class="nt">/></span> <span class="nt"></form:form></span> <span class="nt"></body></span> <span class="nt"></html></span> ```` |
这里需要说明一个特性,在form:form中未设置action的时候,spring-mvc会自动将当前url设置为action,比如如果没有过滤的话会造成一个xss
官方在3.2.8版本修复补丁如下 在org/springframework/web/servlet/tags/form/FormTag.java位置
其实就是url转码了一次,怎么绕过,大家可以自己试试?我试了几种常见的方式没有绕过去,如果大家有想法,欢迎一起交流。本文权当笔记纪录,文字很不严谨,如有错误,欢迎提出来。
https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485 https://www.cnblogs.com/Summer7C/p/4713190.html
本文由来源 bsmali4的小窝,由 NNN4cy 整理编辑!
您必须[登录] 才能发表留言!