SpringMvc xss (CVE-2014-1904)学习与分析

NNN4cy 漏洞分析 2018-05-15

1165 0 0

介绍

https://pivotal.io/cn/security/cve-2014-1904 根据漏洞描述：

内容

可以知道需要用form标签，选择3.2.8版本以前的spring-mvc。然后写了一个demo,代码如下:

bean

PHP
<span class="p">````</span>
<span class="k">package</span> <span class="n">net</span><span class="p">.</span><span class="n">codersec</span><span class="p">.</span><span class="n">entity</span><span class="p">;</span>

<span class="k">public</span> <span class="k">String</span> <span class="n">getUsername</span><span class="p">()</span> <span class="p">{</span>
    <span class="n">return</span> <span class="n">username</span><span class="p">;</span>
<span class="p">}</span>

<span class="k">public</span> <span class="n">void</span> <span class="n">setUsername</span><span class="p">(</span><span class="k">String</span> <span class="n">username</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">this</span><span class="p">.</span><span class="n">username</span> <span class="p">=</span> <span class="n">username</span><span class="p">;</span>
<span class="p">}</span>

<span class="k">public</span> <span class="k">String</span> <span class="n">getPassword</span><span class="p">()</span> <span class="p">{</span>
    <span class="n">return</span> <span class="n">password</span><span class="p">;</span>
<span class="p">}</span>

<span class="k">public</span> <span class="n">void</span> <span class="n">setPassword</span><span class="p">(</span><span class="k">String</span> <span class="n">password</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">this</span><span class="p">.</span><span class="n">password</span> <span class="p">=</span> <span class="n">password</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">````</span>

				
					
				1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

						<span class="p">````</span>
<span class="k">package</span> <span class="n">net</span><span class="p">.</span><span class="n">codersec</span><span class="p">.</span><span class="n">entity</span><span class="p">;</span>
 
<span class="k">public</span> <span class="k">String</span> <span class="n">getUsername</span><span class="p">()</span> <span class="p">{</span>
    <span class="n">return</span> <span class="n">username</span><span class="p">;</span>
<span class="p">}</span>
 
<span class="k">public</span> <span class="n">void</span> <span class="n">setUsername</span><span class="p">(</span><span class="k">String</span> <span class="n">username</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">this</span><span class="p">.</span><span class="n">username</span> <span class="p">=</span> <span class="n">username</span><span class="p">;</span>
<span class="p">}</span>
 
<span class="k">public</span> <span class="k">String</span> <span class="n">getPassword</span><span class="p">()</span> <span class="p">{</span>
    <span class="n">return</span> <span class="n">password</span><span class="p">;</span>
<span class="p">}</span>
 
<span class="k">public</span> <span class="n">void</span> <span class="n">setPassword</span><span class="p">(</span><span class="k">String</span> <span class="n">password</span><span class="p">)</span> <span class="p">{</span>
    <span class="n">this</span><span class="p">.</span><span class="n">password</span> <span class="p">=</span> <span class="n">password</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">````</span>
 

					

			

controller

PHP
<span class="p">````</span>
<span class="k">package</span> <span class="n">net</span><span class="p">.</span><span class="n">codersec</span><span class="p">.</span><span class="n">controller</span><span class="p">;</span>

<span class="n">import</span> <span class="n">net</span><span class="p">.</span><span class="n">codersec</span><span class="p">.</span><span class="n">entity</span><span class="p">.</span><span class="n">User</span><span class="p">;</span>
<span class="n">import</span> <span class="n">org</span><span class="p">.</span><span class="n">springframework</span><span class="p">.</span><span class="n">stereotype</span><span class="p">.</span><span class="n">Controller</span><span class="p">;</span>
<span class="n">import</span> <span class="n">org</span><span class="p">.</span><span class="n">springframework</span><span class="p">.</span><span class="n">ui</span><span class="p">.</span><span class="k">Model</span><span class="p">;</span>
<span class="n">import</span> <span class="n">org</span><span class="p">.</span><span class="n">springframework</span><span class="p">.</span><span class="n">web</span><span class="p">.</span><span class="n">bind</span><span class="p">.</span><span class="n">annotation</span><span class="p">.</span><span class="n">RequestMapping</span><span class="p">;</span>

<span class="p">/**</span>
 <span class="p">*</span> <span class="n">Created</span> <span class="n">by</span> <span class="n">bsmali4</span> <span class="n">on</span> <span class="m">18</span><span class="p">/</span><span class="m">1</span><span class="p">/</span><span class="m">25.</span>
 <span class="p">*/</span>
<span class="p">@</span><span class="n">Controller</span>
<span class="k">public</span> <span class="n">class</span> <span class="n">UseController</span> <span class="p">{</span>

    <span class="p">@</span><span class="n">RequestMapping</span><span class="p">(</span><span class="n">value</span> <span class="p">=</span> <span class="s2">"/login/*"</span><span class="p">)</span>
    <span class="k">public</span> <span class="k">String</span> <span class="n">login</span><span class="p">(</span><span class="k">Model</span> <span class="k">model</span><span class="p">){</span>
        <span class="k">model</span><span class="p">.</span><span class="n">addAttribute</span><span class="p">(</span><span class="s2">"user"</span><span class="p">,</span> <span class="n">new</span> <span class="n">User</span><span class="p">());</span>
        <span class="n">return</span> <span class="s2">"login"</span><span class="p">;</span>
    <span class="p">}</span>

<span class="p">}</span>

<span class="p">````</span>

				
					
				1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

						<span class="p">````</span>
<span class="k">package</span> <span class="n">net</span><span class="p">.</span><span class="n">codersec</span><span class="p">.</span><span class="n">controller</span><span class="p">;</span>
 
<span class="n">import</span> <span class="n">net</span><span class="p">.</span><span class="n">codersec</span><span class="p">.</span><span class="n">entity</span><span class="p">.</span><span class="n">User</span><span class="p">;</span>
<span class="n">import</span> <span class="n">org</span><span class="p">.</span><span class="n">springframework</span><span class="p">.</span><span class="n">stereotype</span><span class="p">.</span><span class="n">Controller</span><span class="p">;</span>
<span class="n">import</span> <span class="n">org</span><span class="p">.</span><span class="n">springframework</span><span class="p">.</span><span class="n">ui</span><span class="p">.</span><span class="k">Model</span><span class="p">;</span>
<span class="n">import</span> <span class="n">org</span><span class="p">.</span><span class="n">springframework</span><span class="p">.</span><span class="n">web</span><span class="p">.</span><span class="n">bind</span><span class="p">.</span><span class="n">annotation</span><span class="p">.</span><span class="n">RequestMapping</span><span class="p">;</span>
 
<span class="p">/**</span>
 <span class="p">*</span> <span class="n">Created</span> <span class="n">by</span> <span class="n">bsmali4</span> <span class="n">on</span> <span class="m">18</span><span class="p">/</span><span class="m">1</span><span class="p">/</span><span class="m">25.</span>
 <span class="p">*/</span>
<span class="p">@</span><span class="n">Controller</span>
<span class="k">public</span> <span class="n">class</span> <span class="n">UseController</span> <span class="p">{</span>
 
    <span class="p">@</span><span class="n">RequestMapping</span><span class="p">(</span><span class="n">value</span> <span class="p">=</span> <span class="s2">"/login/*"</span><span class="p">)</span>
    <span class="k">public</span> <span class="k">String</span> <span class="n">login</span><span class="p">(</span><span class="k">Model</span> <span class="k">model</span><span class="p">){</span>
        <span class="k">model</span><span class="p">.</span><span class="n">addAttribute</span><span class="p">(</span><span class="s2">"user"</span><span class="p">,</span> <span class="n">new</span> <span class="n">User</span><span class="p">());</span>
        <span class="n">return</span> <span class="s2">"login"</span><span class="p">;</span>
    <span class="p">}</span>
 
<span class="p">}</span>
 
<span class="p">````</span>
 

					

			

其中标签需要绑定一个bean，其在form的commandName属性绑定

PHP
````
	  <span class="nt">&lt;</span><span class="err">%@</span> <span class="na">page</span> <span class="na">language=</span><span class="s">"java"</span> <span class="na">contentType=</span><span class="s">"text/html; charset=UTF-8"</span> <span class="na">pageEncoding=</span><span class="s">"UTF-8"</span><span class="err">%</span><span class="nt">&gt;</span>
<span class="nt">&lt;</span><span class="err">%@</span> <span class="na">taglib</span> <span class="na">prefix=</span><span class="s">"form"</span> <span class="na">uri=</span><span class="s">"http://www.springframework.org/tags/form"</span> <span class="err">%</span><span class="nt">&gt;</span>
<span class="nt">&lt;html&gt;</span>
<span class="nt">&lt;body&gt;</span>
<span class="nt">&lt;h2&gt;</span>Hello,welcome to CVE-2014-1904!<span class="nt">&lt;/h2&gt;</span>
<span class="nt">&lt;form:form</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">commandName=</span><span class="s">"user"</span><span class="nt">&gt;</span>
    <span class="nt">&lt;form:input</span> <span class="na">path=</span><span class="s">"username"</span><span class="nt">/&gt;</span>
    <span class="nt">&lt;form:input</span> <span class="na">path=</span><span class="s">"password"</span><span class="nt">/&gt;</span>
    <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">value=</span><span class="s">"login"</span><span class="nt">/&gt;</span>

<span class="nt">&lt;/form:form&gt;</span>

<span class="nt">&lt;/body&gt;</span>
<span class="nt">&lt;/html&gt;</span>

````

				
					
				1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

						````
	  <span class="nt">&lt;</span><span class="err">%@</span> <span class="na">page</span> <span class="na">language=</span><span class="s">"java"</span> <span class="na">contentType=</span><span class="s">"text/html; charset=UTF-8"</span> <span class="na">pageEncoding=</span><span class="s">"UTF-8"</span><span class="err">%</span><span class="nt">&gt;</span>
<span class="nt">&lt;</span><span class="err">%@</span> <span class="na">taglib</span> <span class="na">prefix=</span><span class="s">"form"</span> <span class="na">uri=</span><span class="s">"http://www.springframework.org/tags/form"</span> <span class="err">%</span><span class="nt">&gt;</span>
<span class="nt">&lt;html&gt;</span>
<span class="nt">&lt;body&gt;</span>
<span class="nt">&lt;h2&gt;</span>Hello,welcome to CVE-2014-1904!<span class="nt">&lt;/h2&gt;</span>
<span class="nt">&lt;form:form</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">commandName=</span><span class="s">"user"</span><span class="nt">&gt;</span>
    <span class="nt">&lt;form:input</span> <span class="na">path=</span><span class="s">"username"</span><span class="nt">/&gt;</span>
    <span class="nt">&lt;form:input</span> <span class="na">path=</span><span class="s">"password"</span><span class="nt">/&gt;</span>
    <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">value=</span><span class="s">"login"</span><span class="nt">/&gt;</span>
 
<span class="nt">&lt;/form:form&gt;</span>
 
<span class="nt">&lt;/body&gt;</span>
<span class="nt">&lt;/html&gt;</span>
 
````
 

					

			

这里需要说明一个特性，在form:form中未设置action的时候，spring-mvc会自动将当前url设置为action,比如如果没有过滤的话会造成一个xss官方在3.2.8版本修复补丁如下在org/springframework/web/servlet/tags/form/FormTag.java位置

其实就是url转码了一次,怎么绕过，大家可以自己试试?我试了几种常见的方式没有绕过去，如果大家有想法，欢迎一起交流。本文权当笔记纪录，文字很不严谨，如有错误，欢迎提出来。

参考文档

https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485 https://www.cnblogs.com/Summer7C/p/4713190.html

本文由来源 bsmali4的小窝，由 NNN4cy 整理编辑！

漏洞分析

SpringMvc xss (CVE-2014-1904)学习与分析

介绍

内容

bean

controller

参考文档

NNN4cy

相关文章

“双子星”文档攻击预警 – 新型的跨平台恶意文档攻击分析报告

D-Link-Dir-850L-远程命令执行漏洞

java反序列化漏洞-金蛇剑之hibernate(上)

热评文章

最赞的文章

发表评论

漏洞分析

介绍

内容

bean

controller

参考文档

NNN4cy

相关文章

“双子星”文档攻击预警 – 新型的跨平台恶意文档攻击分析报告

D-Link-Dir-850L-远程命令执行漏洞

java反序列化漏洞-金蛇剑之hibernate(上)

热评文章

最赞的文章

发表评论

用户登录