【禁止转载】Spring Boot Actuator未授权访问漏洞
12.Spring Boot Actuator未授权访问漏洞
漏洞名称
Spring Boot Actuator未授权访问漏洞
漏洞地址
https://www.jianshu.com/p/3162ce30a853
漏洞等级
高危
漏洞描述
Actuator是Spring Boot提供的服务监控和管理中间件,默认配置会出现接口未授权访问,部分接口会泄露网站流量信息和内存信息等,使用Jolokia库特性甚至可以远程执行任意代码,获取服务器权限。
漏洞成因
Spring Boot Framework包含许多称为执行器的功能,可帮助您在将Web应用程序投入生产时监视和管理Web应用程序。它们旨在用于审计,运行状况和指标收集,它们还可能在配置错误时打开服务器的隐藏门。
当Spring Boot应用程序运行时,它会自动将多个端点(例如'/health','/trace','/beans','/env'等)注册到路由进程中。对于Spring Boot 1 - 1.4,它们无需身份验证即可访问,从而导致严重的安全问题。从Spring 1.5版开始,默认情况下,除“/health”和“/info`”之外的所有端点都被视为敏感和安全,但应用程序开发人员通常会禁用此安全性。
以下Actuator端点可能具有安全隐患,从而导致可能的漏洞:
•/auditevents - 显示应用暴露的审计事件 (比如认证进入、订单失败)•/autoconfig - 提供了一份自动配置报告,记录了哪些自动配置条件通过,哪些没通过•/beans - 显示应用程序中所有 Spring bean 的完整列表。•/conditions - 显示自动配置报告,报告中包含所有自动配置候选项以及应用或不应用这些候选项的原因。•/configprops - 显示所有 @ConfigurationProperties 的整理列表。•/dump - 执行线程转储。•/env - 公开 Spring ConfigurableEnvironment 中的属性。•/health - 显示应用程序的运行状况信息(通过未经验证的连接访问时显示简单的状态信息,或通过身份验证时显示完整的消息详细信息)。•/heapdump - 堆存储•/info - 显示任意应用程序信息。•/logfile - 输出日志文件的内容•/loggers - 显示和修改配置的loggers•/mappings - 显示所有 @RequestMapping 路径的整理列表。•/metrics - 显示当前应用程序的指标信息。•/restart - 重新启动应用程序•/shutdown - 允许应用程序正常关机(默认不启用),要求endpoints.shutdown.enabled设置为true•/trace - 显示跟踪信息(默认为上次的一些 HTTP 请求)。
对于Spring 1x,它们在根URL下注册,并且在2x中它们移动到“/actuator/”基本路径。
/actuator
/actuator/auditevents
/actuator/beans
/actuator/conditions
/actuator/configprops
/actuator/env
/actuator/health
/actuator/heapdump
/actuator/httptrace
/actuator/hystrix.stream
/actuator/info
/actuator/jolokia
/actuator/loggers
/actuator/mappings
/actuator/metrics
/actuator/scheduledtasks
/actuator/threaddump
/auditevents
/autoconfig
/beans
/cloudfoundryapplication
/configprops
/dump
/env
/health
/heapdump
/hystrix.stream
/info
/jolokia
/loggers
/mappings
/metrics
/monitor
/monitor/auditevents
/monitor/beans
/monitor/conditions
/monitor/configprops
/monitor/env
/monitor/health
/monitor/heapdump
/monitor/httptrace
/monitor/hystrix.stream
/monitor/info
/monitor/jolokia
/monitor/loggers
/monitor/mappings
/monitor/metrics
/monitor/scheduledtasks
/monitor/threaddump
/threaddump
/tracev漏洞危害
修复方案
1.禁用所有接口,将配置改成:endpoints.enabled=false。要禁用trace端点,则可设置如下:endpoints.trace.enabled=false如果只想打开一两个接口,那就先禁用全部接口,然后启用需要的接口:endpoints.enabled=false将内置端点
endpoints.metrics.trace=truetrace进行授权配置为true,保证访问内置端点trace是经过授权的。logging.level.org.springframework=INFO2.Spring Boot 也提供了安全限制功能。比如
logging.level.org.springframework.boot.devtools=WARN
logging.level.org.owasp=DEBUG
logging.level.org.owasp.webwolf=TRACE
endpoints.trace.sensitive=truespring-boot-starter-security依赖并自定义配置。引入spring-boot-starter-security依赖:<dependency>3.开启
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>security功能,配置访问权限验证:management.port=8099
management.security.enabled=true
security.user.name=xxxxx
security.user.password=xxxxxx
测试过程
Spring Boot Actuator v2
http://isso.isso.isso:2800/manage
http://isso.isso.isso:2800/manage
http://isso.isso.isso:2800/manage/archaius
http://isso.isso.isso:2800/manage/nacos-discovery
http://isso.isso.isso:2800/manage/auditevents
http://isso.isso.isso:2800/manage/beans
http://isso.isso.isso:2800/manage/caches
http://isso.isso.isso:2800/manage/caches/{cache}
http://isso.isso.isso:2800/manage/health
http://isso.isso.isso:2800/manage/health/{component}
http://isso.isso.isso:2800/manage/health/{component}/{instance}
http://isso.isso.isso:2800/manage/conditions
http://isso.isso.isso:2800/manage/configprops
http://isso.isso.isso:2800/manage/env/{toMatch}
http://isso.isso.isso:2800/manage/env
http://isso.isso.isso:2800/manage/info
http://isso.isso.isso:2800/manage/logfile
http://isso.isso.isso:2800/manage/loggers
http://isso.isso.isso:2800/manage/loggers/{name}
http://isso.isso.isso:2800/manage/heapdump
http://isso.isso.isso:2800/manage/threaddump
http://isso.isso.isso:2800/manage/metrics
http://isso.isso.isso:2800/manage/metrics/{requiredMetricName}
http://isso.isso.isso:2800/manage/scheduledtasks
http://isso.isso.isso:2800/manage/httptrace
http://isso.isso.isso:2800/manage/mappings
http://isso.isso.isso:2800/manage/refresh
http://isso.isso.isso:2800/manage/features
http://isso.isso.isso:2800/manage/service-registry/beans - 显示应用程序中所有 Spring bean 的完整列表。
/conditions - 显示自动配置报告,报告中包含所有自动配置候选项以及应用或不应用这些候选项的原因。
/configprops - 显示所有 @ConfigurationProperties 的整理列表。
/dump - 执行线程转储。
/env - 公开 Spring ConfigurableEnvironment 中的属性。
/health - 显示应用程序的运行状况信息(通过未经验证的连接访问时显示简单的状态信息,或通过身份验证时显示完整的消息详细信息)。
/info - 显示任意应用程序信息。
/mappings - 显示所有 @RequestMapping 路径的整理列表。
/metrics - 显示当前应用程序的指标信息。
/shutdown - 允许应用程序正常关机(默认不启用)。
/trace - 显示跟踪信息(默认为上次的一些 HTTP 请求)。http://isso.isso.isso:2800/manage/heapdumphttp://isso.isso.isso:2800/manage/httptraceselect * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))http://zfmh.mem.gov.cn:9000/heapdumpselect * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))SpringBootExploit
https://github.com/0x727
https://github.com/0x727/SpringBootExploit
https://github.com/0x727/SpringBootExploit/archive/refs/heads/main.zip
https://ghproxy.com/https://github.com/0x727/SpringBootExploit/archive/refs/heads/main.zip
https://github.com/0x727/SpringBootExploit/releases
https://github.com/0x727/SpringBootExploit/releases/tag/1.3
更新1.3版本,支持SpringCloudGatewayRCE CVE-2022-22947
目前仅仅支持小马,NettyMemshell和SpringRequestMappingMemshell 参考 文章https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/
https://github.com/0x727/SpringBootExploit/releases/download/1.3/SpringBootExploit-1.3-SNAPSHOT-all.jar
https://ghproxy.com/https://github.com/0x727/SpringBootExploit/releases/download/1.3/SpringBootExploit-1.3-SNAPSHOT-all.jar
https://github.com/0x727/SpringBootExploit/archive/refs/tags/1.3.zip
https://ghproxy.com/https://github.com/0x727/SpringBootExploit/archive/refs/tags/1.3.zip
Spring Boot Vulnerability Exploit Check List
https://github.com/LandGrey
https://github.com/LandGrey/SpringBootVulExploit
https://github.com/LandGrey/SpringBootVulExploit/archive/refs/heads/master.zip
https://ghproxy.com/https://github.com/LandGrey/SpringBootVulExploit/archive/refs/heads/master.zipJVM堆内存分析工具-Memory Analyzer (MAT)
Memory Analyzer (MAT) 是Eclipse公司生产的Java堆内存分析器,MAT通过对堆内存的分析,可以帮助开发者查找内存泄漏并减少内存消耗。
Memory Analyzer (MAT)可以作为Eclipse的插件或独立的应用进行安装,它的官网是:
https://www.eclipse.org/mat/
Memory Analyzer (MAT) 1.12.0
https://www.eclipse.org/mat/downloads.php
https://mirror.kakao.com/eclipse/mat/1.12.0/rcp/MemoryAnalyzer-1.12.0.20210602-win32.win32.x86_64.zip
https://mirror.kakao.com/eclipse/mat/1.12.0/rcp/MemoryAnalyzer-1.12.0.20210602-macosx.cocoa.x86_64.dmgorg.apache.shiro.web.mgt.CookieRememberMeManagerbase64.b64encode(struct.pack('<bbbbbbbbbbbbbbbb', 95,73,100,-75,97,-84,-16,32,85,6,-80,77,-88,119,63,19))VisualVM
https://visualvm.github.io/
https://visualvm.github.io/download.html
https://github.com/oracle/visualvm/releases/download/2.1.1/visualvm_211.zip
https://github.com/oracle/visualvm/releases/download/2.1.1/VisualVM_211.dmgorg.apache.shiro.web.mgt.CookieRememberMeManagerbase64.b64encode(struct.pack('<bbbbbbbbbbbbbbbb', 95,73,100,-75,97,-84,-16,32,85,6,-80,77,-88,119,63,19))X0lktWGs8CBVBrBNqHc/Ew==heapdump查询操作
Spring Boot Actuator未授权访问发现/env中有数据库连接配置信息,但是密码都是*号,这时可以尝试是否可以下载heapdump,在内存信息中找到对应的密码。
获取配置信息:
select * from org.springframework.web.context.support.StandardServletEnvironment通过字符串匹配查找用户session:
select * from java.lang.String s WHERE toString(s) LIKE ".SESSION."JDumpSpider[1]
https://github.com/whwlsfb/JDumpSpider
https://github.com/whwlsfb/JDumpSpider/releases
https://github.com/whwlsfb/JDumpSpider/releases/tag/dev-20220414T015801
https://github.com/whwlsfb/JDumpSpider/releases/download/dev-20220414T015801/JDumpSpider-1.0-SNAPSHOT-full.jar复测情况
已修复
测试人员
南风向晚
引用链接
[1] JDumpSpider: https://github.com/whwlsfb/JDumpSpider