Shulou(Shulou.com)05/31 Report--

This article mainly analyzes the relevant knowledge points of the example analysis that Spring Boot Actuator has never authorized access to getshell, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to take a look, and follow the editor to learn more about "sample analysis of Spring Boot Actuator's unauthorized access to getshell".

Preface

The department boss dug this loophole in a certain src, which is a relatively old hole. I thought it was a little interesting, so I started to set up an environmental test in the local environment.

Actuator is a functional module provided by springboot for self-examination and monitoring of the application system. With the help of Actuator developers can easily view and count some monitoring indicators of the application system. When Actuator is enabled, if the relevant permission control is not done, illegal users can access the monitoring information in the application system by accessing the default actuator endpoint (endpoints), which leads to information disclosure and even the event that the server is taken over.

As shown above, actuator is a functional module provided by springboot for introspection and monitoring of application systems. There are two types of actuator endpoints: native endpoints and user-defined extended endpoints. The main native endpoints are:

Utilization of ideas

Using env and refresh to perform getshell

Use mappings to find unauthorized interfaces

Use trace to obtain authentication information (Cookie, tooken, Session), and use authentication information access interface.

Env may disclose the database account password (mangodb), of course, open the public network, the possibility is less.

The foreigner said that the sql sentence could be executed, but he didn't understand it at present.

Loophole discovery

The framework currently used by web applications is usually identified as the springboot framework. There are two main ways to judge:

Through the icon (favicon.ico) of the page tag of the web application; if the web application developer has not modified the default icon of the springboot web application, you can see the following default small green icon when you enter the home page of the application:

Default error page through springboot framework If the web application developer does not modify the default 4xx and 5xx error pages of the springboot web application, then when an 4xx or 5xx error occurs in the web application, the error will be as follows: visit a randomly constructed path, such as http:/172.26.2.24:8090/index, and the following error page indicates that the web website uses the springboot framework (most of which are encountered in practice).

Combining the above two ways to determine whether the current web application is a springboot framework is to visit different directories to see if there is a small green leaf icon, and then find a way to trigger application 4xx or 5xx errors in different directories to see if there are Whitelabel Error Page errors.

Vulnerability exploitation

Visit the / trace endpoint to get the basic HTTP request tracking information (timestamp, HTTP headers, etc.). If there is an operation request from the login user, you can fake cookie to log in.

Visit the / env endpoint to get all the environment attributes. Because actuator monitors database services such as mysql and mangodb of the site, mysql and mangodb database information is sometimes available through monitoring information. If the database happens to be open on the public network, the harm will be huge.

/ RCE caused by improper configuration of env endpoints

Pre-condition: Eureka-Client

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.