I have an application that exposes an endpoint using HttpInvokerServiceExporter from Spring. I have been trying to investigate whether or not this is at risk from the Java (Apache commons-collections) serialisation exploit (as detailed here).
我有一个使用Spring的HttpInvokerServiceExporter公开端点的应用程序。我一直在尝试调查Java(Apache commons-collections)序列化漏洞是否存在风险(详见此处)。
I have been trying to generate payloads that can be sent to the endpoint for testing, but I haven't managed to get a definitive answer so far. I have checked out the ysoserial project for generating payloads but I believe the problem with this is that the HttpInvoker expects the serialised Object to be of type RemoteInvocation, which is not what ysoserial generates.
我一直在尝试生成可以发送到端点进行测试的有效负载,但到目前为止我还没有设法得到确定的答案。我已经检查了ysoserial项目以生成有效负载,但我认为这个问题是HttpInvoker期望序列化的Object是RemoteInvocation类型,这不是ysoserial生成的。
So my questions are:
所以我的问题是:
- Is a Spring endpoint configured like this at risk?
- How can I generate a payload that would exploit it, so that I can validate that I have closed the exploit after my fix?
Spring端点配置如此风险吗?
如何生成可以利用它的有效负载,这样我可以验证我在修复后关闭了漏洞?
1 个解决方案
#1
0
I have found the answer to my own questions:
我找到了自己问题的答案:
- Yes. I have successfully managed to exploit my server using a simple http post to the Spring endpoint.
-
Spring Http Invoker expects the object it receives to be a
RemoteInvocationinstance, which contains a method to be executed on the server side (i.e. a method that you are exposing on some interface). It has the following constructor:Spring Http Invoker期望它接收的对象是一个RemoteInvocation实例,它包含一个在服务器端执行的方法(即你在某个接口上暴露的方法)。它有以下构造函数:
public RemoteInvocation(String methodName, Class[] parameterTypes, Object[] arguments)
public RemoteInvocation(String methodName,Class [] parameterTypes,Object [] arguments)
是。我已成功设法利用一个简单的http帖子利用我的服务器到Spring端点。
so to use the exploit you just have to put the object that ysoserial generates into the Object[] arguments. This will result in it being unserialised before attempting and failing to execute the method on the exposed interface and therefore it will execute the command you specified.
因此,要使用该漏洞利用,您必须将ysoserial生成的对象放入Object []参数中。这将导致在尝试并且无法在公开的接口上执行该方法之前将其反序列化,因此它将执行您指定的命令。
#1
0
I have found the answer to my own questions:
我找到了自己问题的答案:
- Yes. I have successfully managed to exploit my server using a simple http post to the Spring endpoint.
-
Spring Http Invoker expects the object it receives to be a
RemoteInvocationinstance, which contains a method to be executed on the server side (i.e. a method that you are exposing on some interface). It has the following constructor:Spring Http Invoker期望它接收的对象是一个RemoteInvocation实例,它包含一个在服务器端执行的方法(即你在某个接口上暴露的方法)。它有以下构造函数:
public RemoteInvocation(String methodName, Class[] parameterTypes, Object[] arguments)
public RemoteInvocation(String methodName,Class [] parameterTypes,Object [] arguments)
是。我已成功设法利用一个简单的http帖子利用我的服务器到Spring端点。
so to use the exploit you just have to put the object that ysoserial generates into the Object[] arguments. This will result in it being unserialised before attempting and failing to execute the method on the exposed interface and therefore it will execute the command you specified.
因此,要使用该漏洞利用,您必须将ysoserial生成的对象放入Object []参数中。这将导致在尝试并且无法在公开的接口上执行该方法之前将其反序列化,因此它将执行您指定的命令。