Actual combat | RCE caused by actuator/health leak

News 2023-08-16 01:32:42 views: null

Author: Xiao Lactic acid, reproduced in the official account Network Security Journey.

0x01 Preface

Now there are more and more spingboot sites. When testing spingBoot without authorization, 90% of people will turn a blind eye when they see only actuator/health and actuator/info. However, during a daily vulnerability mining process, I saw different actuator/health leaks, and further took down the server permissions.

0x02 Vulnerability background

A public testing campaign, authorized to infiltrate the target subdomain, we call the target target.com.

0x03 Vulnerability mining process

Use theHarvester to collect sub-domain names, and found a background login system, called qwq.target.com, and the fingerprint is spingboot. Log in to capture packets, capture the login url, the url is https://qwq.target.com/common/login. Use dirsearch to perform directory detection on its interface, and the dictionary is a special dictionary for spingboot. It is found that actuator/health and actuator/info are exposed to the outside world. Most of the actuator/health are as follows:


However, the actuator/health this time is as shown in the figure below:


Pay attention to the fourteen parameters under services. Through observation, I found common from these fourteen parameters. Yes, the login interface happens to be this parameter.
OK, a strange idea was born, construct these fourteen parameters into a dictionary, use Wfuzz to detect https://qwq.target.com/FUZZ/actuator/env, fortunately in message-api/actuator/env A 200 status code was returned. So far, spingboot unauthorized reports can be submitted.
However, in the subsequent penetration, when using burp to detect the directory of https://qwq.target.com/common/, it was found that the rememberMe=deleteMe field was found in the message returned by logout. That's right, this system turned out to be the shiro framework.
Download the heapdump file for analysis, we use jvisualvm for analysis, import the downloaded heapdump file into jvisualvm, and search for the field rememberme.

We get a string of numbers and use a script to convert it into a plaintext key.


Successful command execution.

0x04 Manufacturer feedback

This vulnerability also won the highest prize of the project, but this idea provided me with a lot of inspiration in future vulnerability mining.

0x05 summary

1. Pay special attention to points that are different from usual.
2. It is best to bring a directory for fingerprint identification.
3. Observe more and try more.

Guess you like

Origin blog.csdn.net/qq_18209847/article/details/128296551
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com